Skip to content

Commit

Permalink
doc: adding csrf support
Browse files Browse the repository at this point in the history
  • Loading branch information
katallaxie authored Oct 29, 2024
1 parent 9fcfa37 commit 2d49037
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 40 deletions.
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,19 @@ $ go get github.com/zeiss/fiber-goth
* GitHub (github.com, Enterprise, and Enterprise Cloud)
* Microsoft Entra ID

## CSRF

The middleware supports CSRF protection. It is added via the following package.

```golang
import "github.com/zeiss/fiber-goth/csrf"

app := fiber.New()
app.Use(csrf.New())
```

The CSRF protection depends on the session middleware.

## Examples

See [examples](https://github.com/zeiss/fiber-goth/tree/master/examples) to understand the provided interfaces
Expand Down
81 changes: 41 additions & 40 deletions csrf/csrf.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import (
"time"

"github.com/google/uuid"
"github.com/valyala/fasthttp"
goth "github.com/zeiss/fiber-goth"
"github.com/zeiss/fiber-goth/adapters"
"github.com/zeiss/pkg/slices"
Expand All @@ -22,6 +21,8 @@ var (
ErrMissingSession = fiber.NewError(fiber.StatusForbidden, "missing session in context")
// ErrGenerateToken is returned when the token generator returns an error.
ErrGenerateToken = fiber.NewError(fiber.StatusForbidden, "failed to generate csrf token")
// ErrMissingToken is returned when the token is missing from the request.
ErrMissingToken = fiber.NewError(fiber.StatusForbidden, "missing csrf token in request")
)

// HeaderName is the default header name used to extract the token.
Expand Down Expand Up @@ -56,35 +57,6 @@ type Config struct {
// Extractor is the function used to extract the token from the request.
Extractor func(c *fiber.Ctx) (string, error)

// Indicates if CSRF cookie is secure.
// Optional. Default value false.
CookieSecure bool

// Decides whether cookie should last for only the browser sesison.
// Ignores Expiration if set to true
CookieSessionOnly bool

// SingleUseToken indicates if the CSRF token be destroyed
// and a new one generated on each use.
//
// Optional. Default: false
SingleUseToken bool

// CookieName is the name of the cookie used to store the session.
CookieName string

// CookieSameSite is the SameSite attribute of the cookie.
CookieSameSite fasthttp.CookieSameSite

// CookiePath is the path of the cookie.
CookiePath string

// CookieDomain is the domain of the cookie.
CookieDomain string

// CookieHTTPOnly is the HTTPOnly attribute of the cookie.
CookieHTTPOnly bool

// TrustedOrigins is a list of origins that are allowed to set the cookie.
TrustedOrigins []string

Expand All @@ -98,8 +70,6 @@ type Config struct {
// ConfigDefault is the default config.
var ConfigDefault = Config{
IdleTimeout: 30 * time.Minute,
CookieName: "csrf_",
CookieSameSite: fasthttp.CookieSameSiteLaxMode,
ErrorHandler: defaultErrorHandler,
Extractor: FromHeader(HeaderName),
TokenGenerator: DefaultCsrfTokenGenerator,
Expand Down Expand Up @@ -138,14 +108,6 @@ func configDefault(config ...Config) Config {
cfg.IdleTimeout = ConfigDefault.IdleTimeout
}

if cfg.CookieName == "" {
cfg.CookieName = ConfigDefault.CookieName
}

if cfg.CookieSameSite == 0 {
cfg.CookieSameSite = ConfigDefault.CookieSameSite
}

if cfg.ErrorHandler == nil {
cfg.ErrorHandler = ConfigDefault.ErrorHandler
}
Expand Down Expand Up @@ -253,3 +215,42 @@ func FromHeader(param string) func(c *fiber.Ctx) (string, error) {
return token, nil
}
}

// FromParam returns a function that extracts token from the request query parameter.
func FromParam(param string) func(c *fiber.Ctx) (string, error) {
return func(c *fiber.Ctx) (string, error) {
token := c.Params(param)

if utilx.Empty(token) {
return "", ErrMissingToken
}

return token, nil
}
}

// FromForm returns a function that extracts token from the request form.
func FromForm(param string) func(c *fiber.Ctx) (string, error) {
return func(c *fiber.Ctx) (string, error) {
token := c.FormValue(param)

if utilx.Empty(token) {
return "", ErrMissingToken
}

return token, nil
}
}

// FromQuery returns a function that extracts token from the request query parameter.
func FromQuery(param string) func(c *fiber.Ctx) (string, error) {
return func(c *fiber.Ctx) (string, error) {
token := c.Query(param)

if utilx.Empty(token) {
return "", ErrMissingToken
}

return token, nil
}
}

0 comments on commit 2d49037

Please sign in to comment.