Tim Wundenberg
7475d56949
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 36s
85 lines
2.0 KiB
Go
85 lines
2.0 KiB
Go
package middleware
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"me-fit/service"
|
|
|
|
"net/http"
|
|
)
|
|
|
|
type csrfResponseWriter struct {
|
|
http.ResponseWriter
|
|
auth service.Auth
|
|
session *service.Session
|
|
}
|
|
|
|
func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *service.Session) *csrfResponseWriter {
|
|
return &csrfResponseWriter{
|
|
ResponseWriter: w,
|
|
auth: auth,
|
|
session: session,
|
|
}
|
|
}
|
|
|
|
func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
|
|
dataStr := string(data)
|
|
if strings.Contains(dataStr, "</form>") {
|
|
csrfToken, err := rr.auth.GetCsrfToken(rr.session)
|
|
if err == nil {
|
|
csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
|
|
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
|
|
}
|
|
}
|
|
|
|
return rr.ResponseWriter.Write([]byte(dataStr))
|
|
}
|
|
|
|
func (rr *csrfResponseWriter) WriteHeader(statusCode int) {
|
|
rr.ResponseWriter.WriteHeader(statusCode)
|
|
}
|
|
|
|
func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
session := GetSession(r)
|
|
|
|
if r.Method == http.MethodPost ||
|
|
r.Method == http.MethodPut ||
|
|
r.Method == http.MethodDelete ||
|
|
r.Method == http.MethodPatch {
|
|
|
|
csrfToken := r.FormValue("csrf-token")
|
|
if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
|
|
http.Error(w, "", http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
if session == nil {
|
|
var err error
|
|
session, err = auth.SignInAnonymous()
|
|
if err != nil {
|
|
http.Error(w, "", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
cookie := http.Cookie{
|
|
Name: "id",
|
|
Value: session.Id,
|
|
MaxAge: 60 * 60 * 8, // 8 hours
|
|
Secure: true,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
Path: "/",
|
|
}
|
|
http.SetCookie(w, &cookie)
|
|
|
|
responseWriter := newCsrfResponseWriter(w, auth, session)
|
|
next.ServeHTTP(responseWriter, r)
|
|
})
|
|
}
|
|
}
|