Fixed #597 (#598)

Signed-off-by: Vishal Rana <vr@labstack.com>

middleware/csrf.go

@@ -50,12 +50,8 @@ type (
 		CookieMaxAge int `json:"cookie_max_age"`
 
 		// Indicates if CSRF cookie is secure.
+		// Optional. Default value false.
 		CookieSecure bool `json:"cookie_secure"`
-		// Optional. Default value false.
-
-		// Indicates if CSRF cookie is HTTP only.
-		// Optional. Default value false.
-		CookieHTTPOnly bool `json:"cookie_http_only"`
 	}
 
 	// csrfTokenExtractor defines a function that takes `echo.Context` and returns
@@ -68,7 +64,7 @@ var (
 	DefaultCSRFConfig = CSRFConfig{
 		TokenLookup:  "header:" + echo.HeaderXCSRFToken,
 		ContextKey:   "csrf",
-		CookieName:   "csrf",
+		CookieName:   "_csrf",
 		CookieMaxAge: 86400,
 	}
 )
@@ -122,6 +118,9 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
 			}
 			token := generateCSRFToken(config.Secret, salt)
 			c.Set(config.ContextKey, token)
+
+			switch req.Method() {
+			case echo.GET, echo.HEAD, echo.OPTIONS, echo.TRACE:
 				cookie := new(echo.Cookie)
 				cookie.SetName(config.CookieName)
 				cookie.SetValue(token)
@@ -133,17 +132,19 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
 				}
 				cookie.SetExpires(time.Now().Add(time.Duration(config.CookieMaxAge) * time.Second))
 				cookie.SetSecure(config.CookieSecure)
-			cookie.SetHTTPOnly(config.CookieHTTPOnly)
+				cookie.SetHTTPOnly(true)
 				c.SetCookie(cookie)
-
-			switch req.Method() {
-			case echo.GET, echo.HEAD, echo.OPTIONS, echo.TRACE:
 			default:
-				token, err := extractor(c)
+				cookie, err := c.Cookie(config.CookieName)
 				if err != nil {
 					return err
 				}
-				ok, err := validateCSRFToken(token, config.Secret)
+				serverToken := cookie.Value()
+				clientToken, err := extractor(c)
+				if err != nil {
+					return err
+				}
+				ok, err := validateCSRFToken(serverToken, clientToken, config.Secret)
 				if err != nil {
 					return err
 				}
@@ -194,16 +195,19 @@ func generateCSRFToken(secret, salt []byte) string {
 	return fmt.Sprintf("%s:%s", hex.EncodeToString(h.Sum(nil)), hex.EncodeToString(salt))
 }
 
-func validateCSRFToken(token string, secret []byte) (bool, error) {
+func validateCSRFToken(serverToken, clientToken string, secret []byte) (bool, error) {
-	sep := strings.Index(token, ":")
+	if serverToken != clientToken {
+		return false, nil
+	}
+	sep := strings.Index(clientToken, ":")
 	if sep < 0 {
 		return false, nil
 	}
-	salt, err := hex.DecodeString(token[sep+1:])
+	salt, err := hex.DecodeString(clientToken[sep+1:])
 	if err != nil {
 		return false, err
 	}
-	return token == generateCSRFToken(secret, salt), nil
+	return clientToken == generateCSRFToken(secret, salt), nil
 }
 
 func generateSalt(len uint8) (salt []byte, err error) {

middleware/csrf_test.go

@@ -18,8 +18,6 @@ func TestCSRF(t *testing.T) {
 	c := e.NewContext(req, rec)
 	csrf := CSRFWithConfig(CSRFConfig{
 		Secret: []byte("secret"),
-		CookiePath:   "/",
-		CookieDomain: "labstack.com",
 	})
 	h := csrf(func(c echo.Context) error {
 		return c.String(http.StatusOK, "test")
@@ -32,19 +30,25 @@ func TestCSRF(t *testing.T) {
 
 	// Generate CSRF token
 	h(c)
-	assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "csrf")
+	assert.Contains(t, rec.Header().Get(echo.HeaderSetCookie), "_csrf")
+
+	// Without CSRF cookie
+	req = test.NewRequest(echo.POST, "/", nil)
+	rec = test.NewResponseRecorder()
+	c = e.NewContext(req, rec)
+	assert.Error(t, h(c))
 
 	// Empty/invalid CSRF token
 	req = test.NewRequest(echo.POST, "/", nil)
 	rec = test.NewResponseRecorder()
 	c = e.NewContext(req, rec)
 	req.Header().Set(echo.HeaderXCSRFToken, "")
-	he := h(c).(*echo.HTTPError)
+	assert.Error(t, h(c))
-	assert.Equal(t, http.StatusForbidden, he.Code)
 
 	// Valid CSRF token
 	salt, _ := generateSalt(8)
 	token := generateCSRFToken([]byte("secret"), salt)
+	req.Header().Set(echo.HeaderCookie, "_csrf="+token)
 	req.Header().Set(echo.HeaderXCSRFToken, token)
 	if assert.NoError(t, h(c)) {
 		assert.Equal(t, http.StatusOK, rec.Status())