x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity
This repository has been archived on 2025-08-09. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
a38a9f010dad844fd7227521dc58e5a228d924c4
web-app-template/handler/middleware/cross_site_request_forgery.go
Tim Wundenberg a38a9f010d
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 42s
Details
chore(test): add test for cache control
2024-12-16 22:51:23 +01:00

76 lines
2.0 KiB
Go
Raw Blame History

package middleware
import (
"fmt"
"net/http"
"strings"
"me-fit/service"
)
type csrfResponseWriter struct {
http.ResponseWriter
auth service.Auth
session *service.Session
}
func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *service.Session) *csrfResponseWriter {
return &csrfResponseWriter{
ResponseWriter: w,
auth: auth,
session: session,
}
}
func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
dataStr := string(data)
if strings.Contains(dataStr, "</form>") {
csrfToken, err := rr.auth.GetCsrfToken(rr.session)
if err == nil {
csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
dataStr = strings.ReplaceAll(dataStr, "CSRF_TOKEN", csrfToken)
}
}
return rr.ResponseWriter.Write([]byte(dataStr))
}
func (rr *csrfResponseWriter) WriteHeader(statusCode int) {
rr.ResponseWriter.WriteHeader(statusCode)
}
func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
session := GetSession(r)
if r.Method == http.MethodPost ||
r.Method == http.MethodPut ||
r.Method == http.MethodDelete ||
r.Method == http.MethodPatch {
csrfToken := r.FormValue("csrf-token")
if csrfToken == "" {
csrfToken = r.Header.Get("csrf-token")
}
if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
http.Error(w, "", http.StatusForbidden)
return
}
}
if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
session, _ = auth.SignInAnonymous()
cookie := CreateSessionCookie(session.Id)
http.SetCookie(w, &cookie)
}
responseWriter := newCsrfResponseWriter(w, auth, session)
next.ServeHTTP(responseWriter, r)
})
}
}
Reference in New Issue View Git Blame Copy Permalink