1
0
mirror of https://github.com/labstack/echo.git synced 2024-12-24 20:14:31 +02:00

Generate CSRF token only if it is expired (#601)

Signed-off-by: Vishal Rana <vr@labstack.com>
This commit is contained in:
Vishal Rana 2016-07-16 10:22:24 -07:00 committed by GitHub
parent 4d8557c491
commit c1358eda73

View File

@ -110,17 +110,16 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
req := c.Request()
cookie, err := c.Cookie(config.CookieName)
token := ""
// Set CSRF token
salt, err := generateSalt(8)
if err != nil {
return err
}
token := generateCSRFToken(config.Secret, salt)
c.Set(config.ContextKey, token)
switch req.Method() {
case echo.GET, echo.HEAD, echo.OPTIONS, echo.TRACE:
// Token expired, generate it
salt, err := generateSalt(8)
if err != nil {
return err
}
token = generateCSRFToken(config.Secret, salt)
cookie := new(echo.Cookie)
cookie.SetName(config.CookieName)
cookie.SetValue(token)
@ -134,17 +133,21 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
cookie.SetSecure(config.CookieSecure)
cookie.SetHTTPOnly(true)
c.SetCookie(cookie)
} else {
// Reuse token
token = cookie.Value()
}
c.Set(config.ContextKey, token)
switch req.Method() {
case echo.GET, echo.HEAD, echo.OPTIONS, echo.TRACE:
default:
cookie, err := c.Cookie(config.CookieName)
if err != nil {
return err
}
serverToken := cookie.Value()
clientToken, err := extractor(c)
if err != nil {
return err
}
ok, err := validateCSRFToken(serverToken, clientToken, config.Secret)
ok, err := validateCSRFToken(token, clientToken, config.Secret)
if err != nil {
return err
}