go/authboss
1
0
Fork 0
mirror of https://github.com/volatiletech/authboss.git synced 2025-01-06 03:54:17 +02:00
Code Issues Releases Activity

Add XSRF to all forms.

Browse Source
This commit is contained in:
Kris Runzer 2015-02-15 21:23:37 -08:00
parent d0dd19689b
commit f7e1ff2c8c
10 changed files with 138 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
auth/auth.go
View File

@ -36,6 +36,9 @@ type AuthPage struct {
FlashSuccess string
FlashError string
XSRFName string
XSRFToken string
}
type Auth struct {
@ -84,7 +87,12 @@ func (a *Auth) loginHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
}
}
page := AuthPage{ShowRemember: a.isRememberLoaded, ShowRecover: a.isRecoverLoaded}
page := AuthPage{
ShowRemember: a.isRememberLoaded,
ShowRecover: a.isRecoverLoaded,
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(w, r),
}
if msg, ok := ctx.SessionStorer.Get(authboss.FlashSuccessKey); ok {
page.FlashSuccess = msg
@ -103,7 +111,14 @@ func (a *Auth) loginHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
w.WriteHeader(http.StatusForbidden)
tpl := a.templates[pageLogin]
tpl.ExecuteTemplate(w, tpl.Name(), AuthPage{err.Error(), u, a.isRememberLoaded, a.isRecoverLoaded, "", ""})
tpl.ExecuteTemplate(w, tpl.Name(), AuthPage{
Error: err.Error(),
Username: u,
ShowRemember: a.isRememberLoaded,
ShowRecover: a.isRecoverLoaded,
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(w, r),
})
}
p, ok := ctx.FirstPostFormValue("password")
@ -115,7 +130,14 @@ func (a *Auth) loginHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
fmt.Fprintln(authboss.Cfg.LogWriter, err)
w.WriteHeader(http.StatusForbidden)
tpl := a.templates[pageLogin]
tpl.ExecuteTemplate(w, tpl.Name(), AuthPage{"invalid username and/or password", u, a.isRememberLoaded, a.isRecoverLoaded, "", ""})
tpl.ExecuteTemplate(w, tpl.Name(), AuthPage{
Error: "invalid username and/or password",
Username: u,
ShowRemember: a.isRememberLoaded,
ShowRecover: a.isRecoverLoaded,
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(w, r),
})
return
}

24
internal/views/bindata.go
View File

@ -76,7 +76,7 @@ func confirm_email_html_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "confirm_email.html.tpl", size: 26, mode: os.FileMode(438), modTime: time.Unix(1423614192, 0)}
info := bindata_file_info{name: "confirm_email.html.tpl", size: 26, mode: os.FileMode(438), modTime: time.Unix(1424060528, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@ -96,7 +96,7 @@ func confirm_email_txt_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "confirm_email.txt.tpl", size: 9, mode: os.FileMode(438), modTime: time.Unix(1423614183, 0)}
info := bindata_file_info{name: "confirm_email.txt.tpl", size: 9, mode: os.FileMode(438), modTime: time.Unix(1424060528, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@ -116,7 +116,7 @@ func layout_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "layout.tpl", size: 1603, mode: os.FileMode(438), modTime: time.Unix(1423556408, 0)}
info := bindata_file_info{name: "layout.tpl", size: 1603, mode: os.FileMode(438), modTime: time.Unix(1423465727, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@ -136,12 +136,12 @@ func layoutemail_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "layoutEmail.tpl", size: 34, mode: os.FileMode(438), modTime: time.Unix(1423556408, 0)}
info := bindata_file_info{name: "layoutEmail.tpl", size: 34, mode: os.FileMode(438), modTime: time.Unix(1423465727, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _login_tpl = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xcc\x94\x4b\x8e\xa3\x30\x10\x86\xf7\x23\xcd\x1d\x2c\xef\x09\x17\x00\xa4\x59\xcc\x6e\x46\x13\x4d\xba\x0f\x60\x4c\x11\xac\xd8\x2e\xcb\xd8\x79\x08\x71\xf7\x36\xcf\x06\xf2\xe8\x6d\x47\xb2\x54\xaa\xd4\xff\xa7\xfe\x2f\x86\xa4\x44\xab\x08\xe3\x4e\xa0\x4e\x69\x2c\xf1\x28\x34\x25\x0a\x5c\x85\x45\x4a\xf7\xff\x0e\x6f\x34\xfb\xf9\x83\x84\x4f\x52\x88\x33\xe1\x92\xd5\x75\x4a\x3b\x51\x74\xb4\xe8\x4d\xd3\x88\x92\xec\x7e\x5b\x8b\xb6\x6d\x49\xc5\xea\x08\xba\xba\x69\x40\x17\x6d\x3b\x69\xb7\x7a\xa1\x8d\x77\x83\xc1\x72\xa4\x1f\xab\x0d\xd3\x0f\xe6\x22\x56\x14\xa8\x69\x96\x88\x79\x09\x46\x4a\x16\xf9\x1a\x6c\xe8\xc6\x22\x9c\x4e\xba\xb5\xeb\x2d\x88\xbb\x19\x48\xa9\x83\xab\xa3\xab\x0c\x1c\xb5\xb3\x28\x29\xd1\x4c\x85\x81\xce\xac\xab\x28\x31\x92\x71\xa8\x50\x16\x60\x53\xfa\x3e\xb7\xcf\x4c\xfa\x30\xd7\x34\xbb\xa9\xb7\x09\x19\x87\x94\x13\xb0\x65\xfd\x3d\xe1\x49\xe4\xa7\xaf\xe1\x8d\xf4\x4c\x10\x5e\xd0\x16\x2f\x09\x7e\x0e\xad\x08\xee\xa7\xf6\x13\x56\x77\xcb\x57\x20\x4d\x94\x0f\xfb\x05\xda\x23\xa3\xd5\x96\x4b\xfd\x40\xf2\x50\xe1\xe5\x3f\x28\x50\x39\x84\xe1\x7b\xf2\xbc\x02\x7e\xca\xf1\xba\xda\x42\xb2\x1c\xe4\xab\x5b\x33\xab\xc6\x88\x56\xcd\xf7\xc0\x59\x0f\x34\x23\xd3\x6f\x92\xbf\xb0\x8c\xb7\x74\x5e\x2f\xdb\xff\xbf\xe3\x17\xb9\x77\x0e\xe7\xdc\xb9\xd3\x24\x9c\xc8\x58\xa1\x98\xbd\xf5\xf5\x80\x61\xdc\xa6\xf6\xb9\x12\x8e\x66\x7f\xba\x27\x35\x89\x07\xf5\x03\x0a\x1c\xcf\x0b\x08\x6c\xeb\x2f\x85\x3e\x3d\x35\x27\x95\x85\x32\xbc\x0d\xec\xe0\x42\xb3\xd1\x8e\xfc\xe2\x1c\xbd\x76\x49\xcc\xb6\x51\x92\xb8\xbb\x0d\xd9\x47\x00\x00\x00\xff\xff\x94\xfa\xa3\xd7\x4f\x04\x00\x00")
var _login_tpl = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xcc\x94\xcd\x6e\xdc\x20\x10\xc7\xef\x95\xfa\x0e\x88\xbb\xe3\x17\xb0\x2d\xf5\xd0\x9e\xfa\x11\x65\x53\xa9\x57\x0c\xb3\x01\x2d\x30\x08\xc3\x26\x91\xb5\xef\x5e\x58\x7f\x14\x6f\x36\xdb\x6b\x2c\x21\x8d\xc6\xf3\xff\x7b\xe6\x07\xb8\xd9\xa3\x37\x84\xf1\xa0\xd0\xb6\xb4\xd6\xf8\xa4\x2c\x25\x06\x82\x44\xd1\xd2\xfb\x5f\xbb\x47\xda\x7d\xfe\x44\xd2\xd3\x08\x75\x24\x5c\xb3\x61\x68\x69\x16\x55\x4f\x1e\xa3\x1b\x47\xb5\x27\x77\x5f\xbd\x47\x7f\x3a\x11\xc9\x86\x0a\x72\x3c\x8e\x60\xc5\xe9\xb4\x68\x2f\xf5\xca\xba\x18\x26\x83\xb2\xe4\x5c\x36\x38\x66\xaf\xd4\x55\x4c\x08\xb4\xb4\x6b\xd4\xda\x04\x23\x7b\x56\xc5\x01\x7c\xca\xd6\x2a\xad\x2c\xbd\xb4\x3b\x5b\x90\xf0\xea\xa0\xa5\x01\x5e\x02\xdd\xcc\xc0\xd1\x06\x8f\x9a\x12\xcb\x4c\x2a\xc8\x66\x39\xa2\xc4\x69\xc6\x41\xa2\x16\xe0\x5b\xfa\x7b\x4d\x1f\x99\x8e\xa9\x6e\x1c\xef\x96\xdc\xc5\x90\x75\x9a\x72\x01\x56\xc6\x1f\x13\x9e\x46\x7e\xf8\x3f\xbc\x99\x9e\x4b\xc2\x67\xf4\xe2\x26\xc1\x7f\x45\x1b\x82\xf7\x4b\xfa\x1d\x56\x6f\x9a\x97\xa0\x5d\xd5\x4f\xfd\x25\xda\x33\xa3\x4d\x97\xa5\x7e\x22\xb9\x93\xf8\xfc\x00\x06\x4c\x0f\xa9\xf8\x2d\x79\x2e\x81\x1f\x7a\x7c\xd9\x74\xa1\x59\x0f\xfa\xd6\xa9\x59\x55\xf3\x88\xde\xac\xe7\x20\xf8\x08\xb4\x23\xcb\x37\xc9\x0f\x28\xc7\x2b\x9d\xb7\xcd\x9e\xf7\x77\x7e\xd1\xc7\x10\x70\x9d\xbb\x0f\x96\xa4\x55\x39\xaf\x0c\xf3\xaf\xe7\x78\xc2\x30\x77\x33\xc4\xde\xa8\x40\xbb\xef\xf9\xa6\x36\xf5\xa4\xbe\x42\x81\xe3\xb1\x80\xc0\x2e\xfd\xb5\xb2\x87\x77\xcd\x89\xf4\xb0\x4f\x7f\x03\x3f\xb9\xd0\x6e\xb6\x23\x5f\x38\xc7\x68\x43\x53\xb3\xab\xa3\x94\xd4\xa4\x12\x02\xec\xc2\x2c\x6d\xe1\x9f\xdd\xc3\xb7\x9f\xd3\x85\x29\xae\x51\xce\x3e\xe2\x01\x6c\x4e\xd7\xc9\xb5\xa9\xf3\xb1\xea\xfe\x06\x00\x00\xff\xff\xb5\x6b\x5e\x3d\x98\x04\x00\x00")
func login_tpl_bytes() ([]byte, error) {
return bindata_read(
@ -156,12 +156,12 @@ func login_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "login.tpl", size: 1103, mode: os.FileMode(438), modTime: time.Unix(1423556408, 0)}
info := bindata_file_info{name: "login.tpl", size: 1176, mode: os.FileMode(438), modTime: time.Unix(1424065052, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _recover_complete_tpl = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xd4\x51\x41\xcf\x9b\x30\x0c\xbd\xf7\x57\x58\x51\xaf\x94\xfb\x04\x5c\xa6\x1d\xa7\x55\x6a\xff\x40\x20\xa6\x44\x0d\x49\x66\x42\xb7\x2a\xca\x7f\x5f\x20\xd0\x75\xa8\x95\x26\x4d\x3b\x7c\x48\x11\xb1\x63\x3f\xfb\xbd\x57\xb4\x86\x7a\xe0\x8d\x93\x46\x97\x2c\x27\x6c\xcc\x0d\x29\x6f\x4c\x6f\x15\x3a\x64\xd0\xa3\xeb\x8c\x28\xd9\xf1\xdb\xe9\xcc\xaa\x1d\xc4\xaf\x90\xda\x8e\x0e\xdc\xdd\x62\xc9\x3a\x29\x04\x6a\x06\x9a\xf7\x31\x72\xe6\x3a\x05\x37\xae\xc6\x18\x79\x7f\x38\x4f\x89\x10\x18\xe4\xa9\xd7\xfb\xbd\xe5\xc3\xf0\xc3\x90\xf8\x42\x34\xc0\xa7\x12\x0e\xf1\xf2\x95\xdb\xc3\x9a\x0f\x21\x4d\x11\xf2\x06\x8d\x8a\xc9\x92\x4d\x4b\x66\x17\x32\xa3\xf5\x5e\xb6\xf0\x07\x44\x08\xd0\xf1\x21\x43\x22\x43\xde\xa3\x8e\xfd\xcb\x9e\x5b\x94\x79\xed\x04\xf3\x54\x31\x57\x0d\x96\xeb\x17\x65\x19\x17\xc2\x68\x56\x15\xf2\xb1\x09\x87\x96\x67\xca\x34\xd7\x98\xcd\x65\x3c\x53\xeb\x06\x2d\xe9\xf3\xbc\x7b\x63\xb4\x23\xa3\xd8\x22\x9a\xc3\x9f\x6e\x95\x6c\xe5\xc2\xc0\x2a\xde\x60\x67\x94\x40\x8a\x7a\x3f\xd2\x84\xdf\x47\x49\x28\x56\x09\xe7\x11\x79\xe4\xf5\x3b\xf4\x9e\xb8\xbe\x20\xec\xa3\x0a\x93\xa4\x1b\x81\xde\x73\xed\x50\xd9\xac\x4e\x74\xbc\xb7\x24\xb5\x9b\x41\x42\xd8\x12\x5b\xa4\xdd\x3d\x4d\x5f\x0d\x8d\xe4\x5a\x49\xfd\xf1\x8d\xaf\x9b\xe7\xbf\xb0\xf7\x05\xe0\x47\x77\x79\x43\x69\x63\xf6\xe7\xf4\x0a\xff\x66\xfa\x4b\xd9\xfe\x93\xf7\xf3\xb5\x1e\x9d\x33\x0f\xbc\xda\x69\x88\x27\x8b\x48\x3d\xa7\xfb\x7c\x4f\xf0\x8b\x1e\xc3\x58\xf7\xd2\xb1\xea\x34\xff\x8b\x3c\xb5\x57\xbb\x22\x9f\xd4\xab\x7e\x05\x00\x00\xff\xff\x36\xd8\xe2\xc3\x8b\x04\x00\x00")
var _recover_complete_tpl = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xd4\x54\xc1\x8e\xd3\x30\x10\xbd\xef\x57\x8c\xac\xbd\xa6\xb9\xa3\xa4\x17\x04\x37\x60\x45\xf7\xc0\xd5\x8d\xa7\x1b\x6b\x1d\xdb\x4c\x9c\xc2\xca\xf2\xbf\x33\x8e\x9b\x6e\x89\x5a\x81\x84\x38\x6c\x24\x2b\x9e\xb1\xe7\x79\xde\x7b\xd2\x34\x07\x47\x03\xc8\x2e\x68\x67\x5b\x51\x13\x76\xee\x88\x54\x77\x6e\xf0\x06\x03\x0a\x18\x30\xf4\x4e\xb5\xe2\xe1\xcb\xee\x51\x6c\xef\x80\xbf\x46\x5b\x3f\x05\x08\x2f\x1e\x5b\xd1\x6b\xa5\xd0\x0a\xb0\x72\xe0\x28\xb8\xe7\x1c\x1c\xa5\x99\x38\x8a\x71\xf3\x98\x13\x29\x09\xa8\x4b\x6d\x8c\xf7\x5e\x8e\xe3\x0f\x47\xea\x03\xd1\x08\xef\x5a\xd8\xf0\xe6\x93\xf4\x9b\x25\x9f\x52\x79\x45\xe9\x23\x74\x86\x93\xad\xc8\x4d\x56\x4f\xe4\x26\x1f\xa3\x3e\xc0\x6f\x10\x29\x41\x2f\xc7\x0a\x89\x1c\xc5\x88\x96\xeb\x4f\x7d\xae\x51\xe6\xb6\x0b\xcc\xc5\x8d\xf9\xd6\xe8\xa5\xbd\x72\xad\x92\x4a\x39\x2b\xb6\x8d\x3e\x77\x22\xe1\x20\x2b\xe3\xba\x67\xce\xd6\x9a\x57\x2e\x5d\xa1\x15\x7d\x2e\x7b\xef\x9c\x0d\xe4\x8c\x38\x89\x16\xf0\x67\x58\x24\x5b\xb8\x08\xf0\x46\x76\xd8\x3b\xa3\x90\x58\xef\x73\x9a\xf0\xfb\xa4\x09\xd5\x22\xe1\xfc\x44\xcd\xbc\x5e\xc3\x18\x49\xda\x27\x84\x7b\x56\x21\x4b\xba\x12\xe8\x36\xd7\x1e\x8d\xaf\xf6\x85\x4e\x8c\x9e\xb4\x0d\x33\x48\x4a\x6b\x62\x27\x69\xef\x2e\x5e\x5f\x0c\x65\x72\x07\x4d\xc3\xc3\x0d\x5f\x57\xc7\x7f\x61\xef\x15\xc0\xb7\xee\xf2\x8a\xd2\xca\xec\xf7\xe5\x14\xfe\xcd\xf4\xab\xb2\xfd\x27\xef\xe7\xed\x7e\x0a\xc1\x9d\xf1\xf6\xc1\x02\xaf\x8a\x91\x06\x49\x2f\xf3\xbe\xc0\x9f\xf4\x18\xa7\xfd\xa0\x83\xd8\xee\xe6\x7f\x53\x97\xf2\x3f\xce\x14\x9e\x22\xdf\x76\x5f\x3f\x7e\xe6\x20\x0f\x92\xd7\xd9\x92\xb3\x97\xf3\xa5\xa9\xb3\x0b\xdb\x5f\x01\x00\x00\xff\xff\x30\xbb\xc0\xa5\xd3\x04\x00\x00")
func recover_complete_tpl_bytes() ([]byte, error) {
return bindata_read(
@ -176,7 +176,7 @@ func recover_complete_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "recover-complete.tpl", size: 1163, mode: os.FileMode(438), modTime: time.Unix(1423556408, 0)}
info := bindata_file_info{name: "recover-complete.tpl", size: 1235, mode: os.FileMode(438), modTime: time.Unix(1424063388, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@ -196,7 +196,7 @@ func recover_html_email() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "recover-html.email", size: 26, mode: os.FileMode(438), modTime: time.Unix(1422829950, 0)}
info := bindata_file_info{name: "recover-html.email", size: 26, mode: os.FileMode(438), modTime: time.Unix(1422773459, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@ -216,12 +216,12 @@ func recover_text_email() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "recover-text.email", size: 9, mode: os.FileMode(438), modTime: time.Unix(1422829950, 0)}
info := bindata_file_info{name: "recover-text.email", size: 9, mode: os.FileMode(438), modTime: time.Unix(1422773459, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _recover_tpl = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xd4\x94\xc1\x6e\xa3\x30\x10\x86\xef\x79\x8a\x91\x95\x2b\xe1\xbe\x02\x2e\xd1\x1e\x57\xbb\xda\x36\x0f\x30\x80\x09\x56\x8c\x6d\x0d\x26\x6a\x64\xf9\xdd\x6b\x20\xa1\x89\x45\xa4\xf6\xd0\x43\x91\x90\x8c\x19\x7f\xe3\xff\xff\x2d\x67\x8d\xa6\x0e\xb0\xb2\x42\xab\x9c\xa5\xc4\x2b\x7d\xe6\xc4\xa0\xe3\xb6\xd5\x75\xce\xfe\xfd\x7d\x79\x65\xc5\x06\xc2\xe3\xdc\x76\xe8\x39\x29\xec\xf8\x6f\xa2\x1e\x7e\xe5\xb0\x0b\x83\x3f\x68\x76\xb7\x79\xef\xa7\xca\xac\x16\x67\xa8\x24\xf6\x7d\xce\x46\x7e\x72\x24\x3d\x18\xe7\x44\x03\x0f\x08\xef\xa1\xc5\x3e\xe1\x44\x9a\x9c\xe3\xaa\xf6\xfe\xda\x2b\xa6\x08\x65\x06\x3b\x63\xee\x2a\xa6\xaa\xde\xa0\x5a\x29\x4b\xb0\xae\xb5\x62\x45\x26\x96\x9d\x20\x34\x98\x8c\xfd\xc3\x6c\x2a\xc2\x3b\x2e\x8d\x68\x13\xe1\x61\xef\x95\x56\x96\xb4\x64\x60\x2f\x86\xe7\xcc\xf2\x37\xcb\x60\x54\x90\xb3\x9b\x16\x06\x46\x62\xc5\x5b\x2d\x6b\x4e\x39\x3b\x2c\xd3\x67\x94\x43\xa8\x73\x6e\x77\x58\x1c\x62\x90\xde\x69\x4c\x83\xc8\x8f\x4f\xe7\x08\xd5\x91\xc3\x36\x58\x32\xfa\x1b\xb9\xf5\x5c\x78\xcb\xa5\x49\x4a\xa9\xab\x13\x2b\x9c\x33\x24\x94\x9d\x20\xde\xc7\x2a\xaf\x3e\x6f\xee\xba\xdf\xd2\x0d\x4a\x1b\x41\xdd\xe1\x49\xc8\xd1\xef\x4f\x64\xbd\x02\xfc\xe9\x91\x47\x92\xa2\xe4\xf7\xf3\x5f\x58\x3b\x01\xfb\xd8\xbe\x2f\x1d\x84\x55\x2b\xbf\xe9\x3c\x8c\xc3\xf9\xbb\x1c\xac\xd5\x0b\xb4\xb4\x0a\xc2\x9b\x04\x5c\x87\x74\x99\xc6\x73\x8f\xab\x51\xfd\x50\x76\xc2\xb2\xe2\xff\x7c\x8b\x64\xe9\xbc\x7e\x26\x66\x18\x73\xa4\x50\xa7\xa7\x10\x68\x89\x37\xe1\x46\x92\xfa\x28\x42\xa6\x7b\x54\x15\x97\x59\x8a\xc5\x26\x4b\xc7\x90\x8a\xf7\x00\x00\x00\xff\xff\xc2\xb1\x79\x5b\xba\x04\x00\x00")
var _recover_tpl = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xd4\x94\x4f\x8f\x9b\x30\x10\xc5\xef\xfb\x29\x46\xd6\x5e\x09\xf7\x0a\xb8\x44\xed\xad\x7f\xb4\xbb\x91\x7a\x9d\xc0\x10\xac\x18\x1b\x0d\x26\xea\xca\xe2\xbb\xd7\xc6\x24\x9b\x58\x89\xd4\x1e\x7a\x28\x12\x92\x19\xc6\xbf\xe1\xbd\x67\x51\xb4\x86\x7b\xc0\xda\x4a\xa3\x4b\x91\x33\xd5\xe6\x44\x2c\xa0\x27\xdb\x99\xa6\x14\x3f\xbe\xbf\xbe\x89\xea\x09\xfc\xe5\xdc\xf3\x34\x12\x6b\xec\xe9\x33\xf3\x08\x9f\x4a\xd8\xf8\xc5\x57\x1c\x36\xe7\xfa\x3c\x2f\x9d\x45\x23\x4f\x50\x2b\x1c\xc7\x52\x04\x7e\x76\x60\x33\x0d\xce\xc9\x16\x6e\x10\xf3\x0c\x1d\x8e\x19\x31\x1b\x76\x8e\x74\x33\xcf\xeb\xac\x94\x22\xf5\x30\xd9\x88\xb9\xea\x58\xba\xc6\x01\xf5\x9d\xb6\x0c\x9b\xc6\x68\x51\x15\xf2\xf2\x25\x08\x2d\x66\x61\xbe\xaf\xe6\xd2\xdf\x61\x6b\x42\x5b\x08\x37\xdf\x5e\x1b\x6d\xd9\x28\x01\xf6\x7d\xa0\x52\x58\xfa\x65\x05\x04\x05\xa5\x38\x6b\x11\x30\x28\xac\xa9\x33\xaa\x21\x2e\xc5\xee\x52\x3e\xa1\x9a\x7c\x9f\x73\x9b\xdd\xc5\x21\x01\xf9\x95\xc6\xdc\x8b\xfc\x78\x74\x8e\x51\x1f\x08\x9e\xbd\x25\xc1\xdf\xc4\xad\xc7\xc2\x3b\x52\x43\xb6\x57\xa6\x3e\x8a\xca\xb9\x81\xa5\xb6\x0b\x64\x9e\x53\x95\xab\xcf\x4f\x57\xd3\xcf\xe9\x7a\xa5\xad\xe4\x7e\xf7\x20\xe4\xe4\xf5\x1f\x64\x7d\x07\xf8\xbf\x47\x9e\x48\x4a\x92\xdf\xc6\xb7\x70\xef\x04\x6c\x53\xfb\xfe\xea\x20\xdc\xb5\xf2\x1f\x9d\x87\xb0\x8c\xcf\xfb\xc9\x5a\x73\x81\xee\xad\x06\x7f\x67\x1e\xd7\x23\xbf\x2f\xeb\x38\x63\x35\x6a\x9c\xf6\xbd\xb4\xa2\x7a\x89\x7f\x91\x22\x8f\xfb\x23\xb1\xc0\x94\xa3\xa4\x3e\x3e\x84\x40\xc7\xd4\xfa\x3f\x92\x32\x07\xe9\x33\xdd\xa2\xae\x49\x15\x39\xae\xb0\x18\x5a\xdc\xd1\xc9\xa6\x21\x7d\x4e\xc8\x5b\xfd\xf3\xf5\xe5\xcb\xb7\xd5\xe3\x8f\x00\x42\xf5\xcd\x1c\x49\xaf\xd6\x17\x79\x08\xbb\xfa\x1d\x00\x00\xff\xff\xfd\xfd\xd2\x06\x02\x05\x00\x00")
func recover_tpl_bytes() ([]byte, error) {
return bindata_read(
@ -236,7 +236,7 @@ func recover_tpl() (*asset, error) {
return nil, err
}
info := bindata_file_info{name: "recover.tpl", size: 1210, mode: os.FileMode(438), modTime: time.Unix(1423556408, 0)}
info := bindata_file_info{name: "recover.tpl", size: 1282, mode: os.FileMode(438), modTime: time.Unix(1424063407, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}

1
internal/views/templates/login.tpl
View File

@ -23,4 +23,5 @@
{{if .ShowRecover}}
<a class="btn btn-link btn-block" type="submit" href="/recover">Recover Account</a>
{{end}}
<input type="hidden" name="{{.XSRFName}}" value="{{.XSRFToken}}" />
</form>

1
internal/views/templates/recover-complete.tpl
View File

@ -22,4 +22,5 @@
{{end}}
</div>
<button class="btn btn-primary btn-block" type="submit">Submit</button>
<input type="hidden" name="{{.XSRFName}}" value="{{.XSRFToken}}" />
</form>

1
internal/views/templates/recover.tpl
View File

@ -23,4 +23,5 @@
<button class="btn btn-primary btn-block" type="submit">Recover</button>
<a class="btn btn-link btn-block" type="submit" href="/login">Cancel</a>
<input type="hidden" name="{{.XSRFName}}" value="{{.XSRFToken}}" />
</form>

25
recover/complete.go
View File

@ -19,6 +19,7 @@ type pageRecoverComplete struct {
Token, Password, ConfirmPassword string
ErrMap map[string][]string
FlashSuccess, FlashError string
XSRFName, XSRFToken string
}
func (m *RecoverModule) recoverCompleteHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r *http.Request) {
@ -43,10 +44,12 @@ func (m *RecoverModule) recoverCompleteHandlerFunc(ctx *authboss.Context, w http
page := pageRecoverComplete{
Token: token,
FlashError: flashutil.Pull(ctx.SessionStorer, authboss.FlashErrorKey),
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(w, r),
}
m.execTpl(tplRecoverComplete, w, page)
case methodPOST:
errPage := m.recoverComplete(ctx)
errPage := m.recoverComplete(ctx, authboss.Cfg.XSRFName, authboss.Cfg.XSRFMaker(w, r))
if errPage != nil {
m.execTpl(tplRecoverComplete, w, *errPage)
return
@ -86,11 +89,18 @@ func verifyToken(ctx *authboss.Context, storer authboss.RecoverStorer) (attrs au
return attrs, nil
}
func (m *RecoverModule) recoverComplete(ctx *authboss.Context) (errPage *pageRecoverComplete) {
func (m *RecoverModule) recoverComplete(ctx *authboss.Context, xsrfName, xsrfToken string) (errPage *pageRecoverComplete) {
token, _ := ctx.FirstFormValue("token")
password, _ := ctx.FirstPostFormValue("password")
confirmPassword, _ := ctx.FirstPostFormValue("confirmPassword")
defaultErrPage := &pageRecoverComplete{token, password, confirmPassword, nil, "", authboss.Cfg.RecoverFailedErrorFlash}
defaultErrPage := &pageRecoverComplete{
Token: token,
Password: password,
ConfirmPassword: confirmPassword,
FlashError: authboss.Cfg.RecoverFailedErrorFlash,
XSRFName: xsrfName,
XSRFToken: xsrfToken,
}
var err error
ctx.User, err = verifyToken(ctx, authboss.Cfg.Storer.(authboss.RecoverStorer))
@ -102,7 +112,14 @@ func (m *RecoverModule) recoverComplete(ctx *authboss.Context) (errPage *pageRec
policies := authboss.FilterValidators(authboss.Cfg.Policies, "password")
if validationErrs := ctx.Validate(policies, authboss.Cfg.ConfirmFields...); len(validationErrs) > 0 {
fmt.Fprintf(authboss.Cfg.LogWriter, errFormat, "validation failed", validationErrs)
return &pageRecoverComplete{token, password, confirmPassword, validationErrs.Map(), "", ""}
return &pageRecoverComplete{
Token: token,
Password: password,
ConfirmPassword: confirmPassword,
ErrMap: validationErrs.Map(),
XSRFName: xsrfName,
XSRFToken: xsrfToken,
}
}
encryptedPassword, err := bcrypt.GenerateFromPassword([]byte(password), authboss.Cfg.BCryptCost)

15
recover/complete_test.go
View File

@ -95,7 +95,12 @@ func Test_recoverCompleteHandlerFunc_GET(t *testing.T) {
m.recoverCompleteHandlerFunc(ctx, w, r)
page := pageRecoverComplete{Token: testUrlBase64Token, FlashError: "asdf"}
page := pageRecoverComplete{
Token: testUrlBase64Token,
FlashError: "asdf",
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(nil, nil),
}
expectedBody := &bytes.Buffer{}
if err := m.templates[tplRecoverComplete].Execute(expectedBody, page); err != nil {
panic(err)
@ -124,6 +129,8 @@ func Test_recoverCompleteHandlerFunc_POST_RecoveryCompleteFailed(t *testing.T) {
Password: "a",
ConfirmPassword: "a",
FlashError: authboss.Cfg.RecoverFailedErrorFlash,
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(nil, nil),
}); err != nil {
panic(err)
}
@ -245,7 +252,7 @@ func Test_recoverComplete_TokenVerificationFails(t *testing.T) {
m, logger := testValidRecoverModule()
ctx := mocks.MockRequestContext()
errPage := m.recoverComplete(ctx)
errPage := m.recoverComplete(ctx, "", "")
if errPage == nil {
t.Error("Expected err page")
}
@ -275,7 +282,7 @@ func Test_recoverComplete_ValidationFails(t *testing.T) {
attrRecoverTokenExpiry: time.Now().Add(time.Duration(24) * time.Hour),
}
errPage := m.recoverComplete(ctx)
errPage := m.recoverComplete(ctx, "", "")
if errPage == nil {
t.Error("Expected err page")
}
@ -317,7 +324,7 @@ func Test_recoverComplete(t *testing.T) {
attrRecoverTokenExpiry: time.Now().Add(time.Duration(24) * time.Hour),
}
if errPage := m.recoverComplete(ctx); errPage != nil {
if errPage := m.recoverComplete(ctx, "", ""); errPage != nil {
t.Error("Expected nil err page")
}

26
recover/init.go
View File

@ -15,8 +15,8 @@ import (
type pageRecover struct {
Username, ConfirmUsername string
ErrMap map[string][]string
FlashSuccess string
FlashError string
FlashSuccess, FlashError string
XSRFName, XSRFToken string
}
func (m *RecoverModule) recoverHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r *http.Request) {
@ -24,11 +24,13 @@ func (m *RecoverModule) recoverHandlerFunc(ctx *authboss.Context, w http.Respons
case methodGET:
page := pageRecover{
FlashError: flashutil.Pull(ctx.SessionStorer, authboss.FlashErrorKey),
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(w, r),
}
m.execTpl(tplRecover, w, page)
case methodPOST:
errPage, _ := m.recover(ctx)
errPage, _ := m.recover(ctx, authboss.Cfg.XSRFName, authboss.Cfg.XSRFMaker(w, r))
if errPage != nil {
m.execTpl(tplRecover, w, *errPage)
@ -42,20 +44,32 @@ func (m *RecoverModule) recoverHandlerFunc(ctx *authboss.Context, w http.Respons
}
}
func (m *RecoverModule) recover(ctx *authboss.Context) (errPage *pageRecover, emailSent <-chan struct{}) {
func (m *RecoverModule) recover(ctx *authboss.Context, xsrfName, xsrfToken string) (errPage *pageRecover, emailSent <-chan struct{}) {
username, _ := ctx.FirstPostFormValue("username")
confirmUsername, _ := ctx.FirstPostFormValue("confirmUsername")
policies := authboss.FilterValidators(authboss.Cfg.Policies, "username")
if validationErrs := ctx.Validate(policies, authboss.Cfg.ConfirmFields...); len(validationErrs) > 0 {
fmt.Fprintf(authboss.Cfg.LogWriter, errFormat, "validation failed", validationErrs)
return &pageRecover{username, confirmUsername, validationErrs.Map(), "", ""}, nil
return &pageRecover{
Username: username,
ConfirmUsername: confirmUsername,
ErrMap: validationErrs.Map(),
XSRFName: xsrfName,
XSRFToken: xsrfToken,
}, nil
}
err, emailSent := m.makeAndSendToken(ctx, username)
if err != nil {
fmt.Fprintf(authboss.Cfg.LogWriter, errFormat, "failed to recover", err)
return &pageRecover{username, confirmUsername, nil, "", authboss.Cfg.RecoverFailedErrorFlash}, nil
return &pageRecover{
Username: username,
ConfirmUsername: confirmUsername,
FlashError: authboss.Cfg.RecoverFailedErrorFlash,
XSRFName: xsrfName,
XSRFToken: xsrfToken,
}, nil
}
return nil, emailSent

16
recover/init_test.go
View File

@ -21,7 +21,11 @@ func Test_recoverHandlerFunc_GET(t *testing.T) {
m.recoverHandlerFunc(ctx, w, r)
expectedBody := &bytes.Buffer{}
if err := m.templates[tplRecover].Execute(expectedBody, pageRecover{}); err != nil {
err := m.templates[tplRecover].Execute(expectedBody, pageRecover{
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(nil, nil),
})
if err != nil {
panic(err)
}
@ -43,6 +47,8 @@ func Test_recoverHandlerFunc_POST_RecoveryFailed(t *testing.T) {
Username: "a",
ConfirmUsername: "a",
FlashError: authboss.Cfg.RecoverFailedErrorFlash,
XSRFName: authboss.Cfg.XSRFName,
XSRFToken: authboss.Cfg.XSRFMaker(nil, nil),
}); err != nil {
panic(err)
}
@ -90,7 +96,7 @@ func Test_recover_UsernameValidationFail(t *testing.T) {
m, logger := testValidRecoverModule()
ctx := mocks.MockRequestContext()
page, emailSent := m.recover(ctx)
page, emailSent := m.recover(ctx, "", "")
if len(page.ErrMap["username"]) != 1 {
t.Error("Exepted single validation error for username")
}
@ -114,7 +120,7 @@ func Test_recover_ConfirmUsernameCheckFail(t *testing.T) {
m, logger := testValidRecoverModule()
ctx := mocks.MockRequestContext("username", "a", "confirmUsername", "b")
page, emailSent := m.recover(ctx)
page, emailSent := m.recover(ctx, "", "")
if len(page.ErrMap["username"]) != 0 {
t.Error("Exepted no validation errors for username")
}
@ -141,7 +147,7 @@ func Test_recover_InvalidUser(t *testing.T) {
m, logger := testValidRecoverModule()
ctx := mocks.MockRequestContext("username", "a", "confirmUsername", "a")
page, emailSent := m.recover(ctx)
page, emailSent := m.recover(ctx, "", "")
if page.ErrMap != nil {
t.Error("Exepted no validation errors")
}
@ -172,7 +178,7 @@ func Test_recover(t *testing.T) {
ctx := mocks.MockRequestContext("username", "a", "confirmUsername", "a")
page, emailSent := m.recover(ctx)
page, emailSent := m.recover(ctx, "", "")
if page != nil {
t.Error("Expected nil page")
}

64
recover/recover_test.go
View File

@ -68,41 +68,47 @@ func Test_Initialize(t *testing.T) {
}
func testValidTestConfig() {
authboss.NewConfig()
authboss.Cfg.Storer = mocks.NewMockStorer()
authboss.Cfg.EmailFrom = "auth@boss.com"
cfg := authboss.Config{
Storer: mocks.NewMockStorer(),
RecoverRedirect: "/login",
RecoverInitiateSuccessFlash: "sf",
RecoverTokenExpiredFlash: "exf",
RecoverFailedErrorFlash: "errf",
Policies: []authboss.Validator{
authboss.Rules{
FieldName: "username",
Required: true,
},
authboss.Rules{
FieldName: "password",
Required: true,
},
},
ConfirmFields: []string{"username", "confirmUsername", "password", "confirmPassword"},
LogWriter: &bytes.Buffer{},
Mailer: &mocks.MockMailer{},
EmailFrom: "auth@boss.com",
HostName: "localhost",
RecoverTokenDuration: time.Duration(24) * time.Hour,
BCryptCost: 4,
AuthLoginSuccessRoute: "/login",
XSRFName: "rofl",
XSRFMaker: func(_ http.ResponseWriter, _ *http.Request) string {
return "lawl"
},
}
var err error
if authboss.Cfg.Layout, err = views.AssetToTemplate("layout.tpl"); err != nil {
if cfg.Layout, err = views.AssetToTemplate("layout.tpl"); err != nil {
panic(err)
}
if authboss.Cfg.LayoutEmail, err = views.AssetToTemplate("layoutEmail.tpl"); err != nil {
if cfg.LayoutEmail, err = views.AssetToTemplate("layoutEmail.tpl"); err != nil {
panic(err)
}
authboss.Cfg.RecoverRedirect = "/login"
authboss.Cfg.RecoverInitiateSuccessFlash = "sf"
authboss.Cfg.RecoverTokenExpiredFlash = "exf"
authboss.Cfg.RecoverFailedErrorFlash = "errf"
authboss.Cfg.Policies = []authboss.Validator{
authboss.Rules{
FieldName: "username",
Required: true,
},
authboss.Rules{
FieldName: "password",
Required: true,
},
}
authboss.Cfg.ConfirmFields = []string{"username", "confirmUsername", "password", "confirmPassword"}
authboss.Cfg.LogWriter = &bytes.Buffer{}
authboss.Cfg.Mailer = &mocks.MockMailer{}
authboss.Cfg.EmailFrom = "auth@boss.com"
authboss.Cfg.HostName = "localhost"
authboss.Cfg.RecoverTokenDuration = time.Duration(24) * time.Hour
authboss.Cfg.BCryptCost = 4
authboss.Cfg.AuthLoginSuccessRoute = "/login"
authboss.Cfg = &cfg
}
func testValidRecoverModule() (*RecoverModule, *bytes.Buffer) {
@ -215,7 +221,7 @@ func Test_execTpl(t *testing.T) {
m, _ := testValidRecoverModule()
w := httptest.NewRecorder()
page := pageRecover{"bobby", "bob", nil, "", authboss.Cfg.RecoverFailedErrorFlash}
page := pageRecover{"bobby", "bob", nil, "", authboss.Cfg.RecoverFailedErrorFlash, "", ""}
m.execTpl(tplRecover, w, page)
tpl := m.templates[tplRecover]