csrf

package
v1.2.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 25, 2022 License: BSD-3-Clause Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var CSRF = func(handler http.Handler) http.Handler {
	onc.Do(func() {
		if !Used {
			i := time.Now()
			eventbus.Subscribe("csrf-clean", func(data string) {
				if data != "" {
					Csrf_tokens.Delete(data)
				}
				if time.Since(i) > time.Hour {
					Csrf_tokens.Flush()
					i = time.Now()
				}
			})
			Used = true
		}
	})
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.Method {
		case "GET":
			token := r.Header.Get("X-CSRF-Token")
			tok, ok := Csrf_tokens.Get(token)

			if !ok || token == "" || (tok.Used && (tok.Retry > CSRF_TIMEOUT_RETRY || time.Since(tok.Created) > CSRF_CLEAN_EVERY)) {
				t := Csrf_rand
				Csrf_tokens.Set(t, Token{
					Value:   t,
					Used:    false,
					Retry:   0,
					Remote:  r.UserAgent(),
					Created: time.Now(),
				})
				http.SetCookie(w, &http.Cookie{
					Name:     "csrf_token",
					Value:    t,
					Path:     "/",
					Expires:  time.Now().Add(5 * time.Minute),
					SameSite: http.SameSiteStrictMode,
				})
			} else {
				if token != tok.Value {
					http.SetCookie(w, &http.Cookie{
						Name:     "csrf_token",
						Value:    tok.Value,
						Path:     "/",
						Expires:  time.Now().Add(5 * time.Minute),
						SameSite: http.SameSiteStrictMode,
					})
				}
			}

			handler.ServeHTTP(w, r)
			return

		case "POST", "PATCH", "PUT", "UPDATE", "DELETE":
			token := r.Header.Get("X-CSRF-Token")
			tok, ok := Csrf_tokens.Get(token)
			if !ok || token == "" || (tok.Used && (tok.Retry > CSRF_TIMEOUT_RETRY || time.Since(tok.Created) > CSRF_CLEAN_EVERY)) {
				eventbus.Publish("csrf-clean", tok.Value)
				Csrf_rand = utils.GenerateRandomString(20)
				w.WriteHeader(http.StatusBadRequest)
				json.NewEncoder(w).Encode(map[string]any{
					"error": "CSRF not allowed",
				})
				return
			}

			Csrf_tokens.Set(tok.Value, Token{
				Value:   tok.Value,
				Used:    true,
				Retry:   tok.Retry + 1,
				Remote:  r.UserAgent(),
				Created: tok.Created,
			})
			handler.ServeHTTP(w, r)
			return
		default:
			handler.ServeHTTP(w, r)
		}
	})
}
View Source 
var CSRF_CLEAN_EVERY = 20 * time.Minute
View Source 
var CSRF_TIMEOUT_RETRY = 20
View Source 
var Csrf_rand = utils.GenerateRandomString(20)
View Source 
var Csrf_tokens = safemap.New[string, Token]()
View Source 
var Used bool

Functions

This section is empty.

Types

type Token added in v1.0.62 

type Token struct {
	Used    bool
	Retry   int
	Value   string
	Remote  string
	Created time.Time
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.