This repository has been archived by the owner on Mar 21, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
xsrf.go
148 lines (120 loc) · 3.25 KB
/
xsrf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
// Copyright 2015 The Tango Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package xsrf
import (
"fmt"
"html/template"
"net/http"
"time"
"github.com/go-xweb/uuid"
"github.com/lunny/tango"
)
const (
XSRF_TAG string = "_xsrf"
)
type Xsrfer interface {
CheckXsrf() bool
}
type NoCheck struct {
}
func (NoCheck) InitXsrfer(*tango.Context, time.Duration) {}
func (NoCheck) CheckXsrf() bool {
return false
}
var _ Xsrfer = NoCheck{}
type XsrfChecker interface {
SetXsrf(string, *tango.Context, time.Duration)
AutoCheck() bool
}
type Checker struct {
XsrfValue string
ctx *tango.Context
timeout time.Duration
}
func (Checker) CheckXsrf() bool {
return true
}
func (c *Checker) SetXsrf(v string, ctx *tango.Context, timeout time.Duration) {
c.XsrfValue = v
c.ctx = ctx
c.timeout = timeout
}
func (c *Checker) AutoCheck() bool {
return true
}
func (c *Checker) XsrfFormHtml() template.HTML {
return template.HTML(fmt.Sprintf(`<input type="hidden" name="%v" value="%v" />`,
XSRF_TAG, c.XsrfValue))
}
func (c *Checker) Renew() {
var val = uuid.NewRandom().String()
var cookie = newCookie(XSRF_TAG, val, int64(c.timeout.Seconds()))
c.ctx.Cookies().Del(XSRF_TAG)
c.ctx.Cookies().Set(cookie)
//c.ctx.Header().Set("Set-Cookie", cookie.String())
}
func (c *Checker) IsValid() bool {
if c.ctx.Req().Method == "POST" {
res, err := c.ctx.Req().Cookie(XSRF_TAG)
formVal := c.ctx.Req().FormValue(XSRF_TAG)
if err != nil || res.Value == "" || res.Value != formVal {
return false
}
}
return true
}
var _ XsrfChecker = &Checker{}
func New(timeout time.Duration) tango.HandlerFunc {
return func(ctx *tango.Context) {
var action interface{}
if action = ctx.Action(); action == nil {
ctx.Next()
return
}
// if action implements check xsrf option and ask not check then return
if checker, ok := action.(Xsrfer); ok && !checker.CheckXsrf() {
ctx.Next()
return
}
var val string = ""
cookie, err := ctx.Req().Cookie(XSRF_TAG)
if err != nil {
val = uuid.NewRandom().String()
cookie = newCookie(XSRF_TAG, val, int64(timeout.Seconds()))
ctx.Cookies().Del(XSRF_TAG)
ctx.Cookies().Set(cookie)
//ctx.Header().Set("Set-Cookie", cookie.String())
} else {
val = cookie.Value
}
if c, ok := action.(XsrfChecker); ok {
c.SetXsrf(val, ctx, timeout)
if c.AutoCheck() {
if ctx.Req().Method == "POST" {
res, err := ctx.Req().Cookie(XSRF_TAG)
formVal := ctx.Req().FormValue(XSRF_TAG)
if err != nil || res.Value == "" || res.Value != formVal {
ctx.Abort(http.StatusInternalServerError, "xsrf token error.")
ctx.Error("xsrf token error.")
return
}
}
}
}
ctx.Next()
}
}
// NewCookie is a helper method that returns a new http.Cookie object.
// Duration is specified in seconds. If the duration is zero, the cookie is permanent.
// This can be used in conjunction with ctx.SetCookie.
func newCookie(name string, value string, age int64) *http.Cookie {
var utctime time.Time
if age == 0 {
// 2^31 - 1 seconds (roughly 2038)
utctime = time.Unix(2147483647, 0)
} else {
utctime = time.Unix(time.Now().Unix()+age, 0)
}
return &http.Cookie{Name: name, Path: "/", Value: value, Expires: utctime}
}