1
0
mirror of https://github.com/labstack/echo.git synced 2024-12-24 20:14:31 +02:00
Signed-off-by: Vishal Rana <vr@labstack.com>
This commit is contained in:
Vishal Rana 2016-07-13 16:55:46 -07:00 committed by GitHub
parent 451b2ccc9f
commit 98d744b8fb
2 changed files with 39 additions and 31 deletions

View File

@ -50,12 +50,8 @@ type (
CookieMaxAge int `json:"cookie_max_age"`
// Indicates if CSRF cookie is secure.
// Optional. Default value false.
CookieSecure bool `json:"cookie_secure"`
// Optional. Default value false.
// Indicates if CSRF cookie is HTTP only.
// Optional. Default value false.
CookieHTTPOnly bool `json:"cookie_http_only"`
}
// csrfTokenExtractor defines a function that takes `echo.Context` and returns
@ -68,7 +64,7 @@ var (
DefaultCSRFConfig = CSRFConfig{
TokenLookup: "header:" + echo.HeaderXCSRFToken,
ContextKey: "csrf",
CookieName: "csrf",
CookieName: "_csrf",
CookieMaxAge: 86400,
}
)
@ -122,28 +118,33 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
}
token := generateCSRFToken(config.Secret, salt)
c.Set(config.ContextKey, token)
cookie := new(echo.Cookie)
cookie.SetName(config.CookieName)
cookie.SetValue(token)
if config.CookiePath != "" {
cookie.SetPath(config.CookiePath)
}
if config.CookieDomain != "" {
cookie.SetDomain(config.CookieDomain)
}
cookie.SetExpires(time.Now().Add(time.Duration(config.CookieMaxAge) * time.Second))
cookie.SetSecure(config.CookieSecure)
cookie.SetHTTPOnly(config.CookieHTTPOnly)
c.SetCookie(cookie)
switch req.Method() {
case echo.GET, echo.HEAD, echo.OPTIONS, echo.TRACE:
cookie := new(echo.Cookie)
cookie.SetName(config.CookieName)
cookie.SetValue(token)
if config.CookiePath != "" {
cookie.SetPath(config.CookiePath)
}
if config.CookieDomain != "" {
cookie.SetDomain(config.CookieDomain)
}
cookie.SetExpires(time.Now().Add(time.Duration(config.CookieMaxAge) * time.Second))
cookie.SetSecure(config.CookieSecure)
cookie.SetHTTPOnly(true)
c.SetCookie(cookie)
default:
token, err := extractor(c)
cookie, err := c.Cookie(config.CookieName)
if err != nil {
return err
}
ok, err := validateCSRFToken(token, config.Secret)
serverToken := cookie.Value()
clientToken, err := extractor(c)
if err != nil {
return err
}
ok, err := validateCSRFToken(serverToken, clientToken, config.Secret)
if err != nil {
return err
}
@ -194,16 +195,19 @@ func generateCSRFToken(secret, salt []byte) string {
return fmt.Sprintf("%s:%s", hex.EncodeToString(h.Sum(nil)), hex.EncodeToString(salt))
}
func validateCSRFToken(token string, secret []byte) (bool, error) {
sep := strings.Index(token, ":")
func validateCSRFToken(serverToken, clientToken string, secret []byte) (bool, error) {
if serverToken != clientToken {
return false, nil
}
sep := strings.Index(clientToken, ":")
if sep < 0 {
return false, nil
}
salt, err := hex.DecodeString(token[sep+1:])
salt, err := hex.DecodeString(clientToken[sep+1:])
if err != nil {
return false, err
}
return token == generateCSRFToken(secret, salt), nil
return clientToken == generateCSRFToken(secret, salt), nil
}
func generateSalt(len uint8) (salt []byte, err error) {

View File

@ -17,9 +17,7 @@ func TestCSRF(t *testing.T) {
rec := test.NewResponseRecorder()
c := e.NewContext(req, rec)
csrf := CSRFWithConfig(CSRFConfig{
Secret: []byte("secret"),
CookiePath: "/",
CookieDomain: "labstack.com",
Secret: []byte("secret"),
})
h := csrf(func(c echo.Context) error {
return c.String(http.StatusOK, "test")
@ -32,19 +30,25 @@ func TestCSRF(t *testing.T) {
// Generate CSRF token
h(c)
assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "csrf")
assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")
// Without CSRF cookie
req = test.NewRequest(echo.POST, "/", nil)
rec = test.NewResponseRecorder()
c = e.NewContext(req, rec)
assert.Error(t, h(c))
// Empty/invalid CSRF token
req = test.NewRequest(echo.POST, "/", nil)
rec = test.NewResponseRecorder()
c = e.NewContext(req, rec)
req.Header().Set(echo.HeaderXCSRFToken, "")
he := h(c).(*echo.HTTPError)
assert.Equal(t, http.StatusForbidden, he.Code)
assert.Error(t, h(c))
// Valid CSRF token
salt, _ := generateSalt(8)
token := generateCSRFToken([]byte("secret"), salt)
req.Header().Set(echo.HeaderCookie, "_csrf="+token)
req.Header().Set(echo.HeaderXCSRFToken, token)
if assert.NoError(t, h(c)) {
assert.Equal(t, http.StatusOK, rec.Status())