goji / csrf Goto Github PK

Cross Site Request Forgery (CSRF) prevention middleware for Goji (a Go micro-framework)

License: BSD 3-Clause "New" or "Revised" License

Go 100.00%

csrf's Introduction

Goji

Goji is a HTTP request multiplexer, similar to net/http.ServeMux. It compares incoming requests to a list of registered Patterns, and dispatches to the http.Handler that corresponds to the first matching Pattern. Goji also supports Middleware (composable shared functionality applied to every request) and uses the standard context package to store request-scoped values.

Quick Start

package main

import (
        "fmt"
        "net/http"

        "goji.io"
        "goji.io/pat"
)

func hello(w http.ResponseWriter, r *http.Request) {
        name := pat.Param(r, "name")
        fmt.Fprintf(w, "Hello, %s!", name)
}

func main() {
        mux := goji.NewMux()
        mux.HandleFunc(pat.Get("/hello/:name"), hello)

        http.ListenAndServe("localhost:8000", mux)
}

Please refer to Goji's GoDoc Documentation for a full API reference.

Stability

Goji's API was recently updated to use the new net/http and context integration, and is therefore some of its interfaces are in a state of flux. We don't expect any further changes to the API, and expect to be able to announce API stability soon. Goji is suitable for use in production.

Prior to Go 1.7, Goji promised API stability with a different API to the one that is offered today. The author broke this promise, and does not take this breach of trust lightly. While stability is obviously extremely important, the author and community have decided to follow the broader Go community in standardizing on the standard library copy of the context package.

Users of the old API can find that familiar API on the net-context branch. The author promises to maintain both the net-context branch and master for the forseeable future.

Community / Contributing

Goji maintains a mailing list, gojiberries, where you should feel welcome to ask questions about the project (no matter how simple!), to announce projects or libraries built on top of Goji, or to talk about Goji more generally. Goji's author (Carl Jackson) also loves to hear from users directly at his personal email address, which is available on his GitHub profile page.

Contributions to Goji are welcome, however please be advised that due to Goji's stability guarantees interface changes are unlikely to be accepted.

All interactions in the Goji community will be held to the high standard of the broader Go community's Code of Conduct.

csrf's People

Contributors

Stargazers

Watchers

Forkers

molivier elithrar mylons changy- cyberflamego

csrf's Issues

Supporting Goji v2 (goji.io)

With Goji v2 (https://github.com/goji/goji) close to reaching stability, there will be a need to make a change to support Goji's goji.Handler interface and use net/context instead of/in addition to web.C.

The two approaches I'm considering:

Add a ProtectC(authKey []byte, opts ...Option) func(goji.Handler) goji.Handler function, and add a ServeHTTPC method to the *csrf type. Calling ProtectC would set a useContext field in *csrf to true, and we would write helpers for getting/setting from appropriate request context (context.Context vs. web.C) based on that field.
- Upsides: minimal breaking API change for existing users.
- Downsides: internal code more complex, API not as clear to newcomers, csrf.ErrorHandler is currently tied to the old web.Handler (more API overhead).
Create a new package that only supports Goji v2.
- Upsides: maintains the small API, provides a similar migration path.
- Downsides: Another package to maintain and port bug fixes/API changes to/from, naming conflict.

@zenazn - open to suggestions here as you may have done some thinking on this already.

Token is stored in session cookie

I just tried adding goji/csrf as middleware to an app and everything continued to work as normal even before adding csrf fields to the forms. It seems the token is stored in a session cookie automatically, and this is used for authentication. How does this prevent a csrf attack - won't any browser with an active session succeed with POST requests even if they are malicious?

go get github.com/goji/csrf throwing error

Hi,

got get command is throwing an error.

go get github.com/goji/csrf

csrf.go:148: cs.sc.SetSerializer undefined (type *securecookie.SecureCookie has no field or method SetSerializer)
csrf.go:148: undefined: securecookie.JSONEncoder

Below command also throwing the same error

go get github.com/gorilla/csrf

I tried with go 1.7.1 & go 1.5

Thanks

How do you do secret key rotation?

Two Cookies with the same Name

Hi @elithrar ,

Browser is sending two cookies with the same name "goji_csrf"? How is that possible?
If i remove one cookie and make a request via curl . It is working fine.

And i can't see the goji_csrf cookies in "Developer Tools" --> "Application" --> "Cookies".
Where are they exactly getting saved in browser?

I can see them only in Request Headers. Below is the sample cookie, taken from Request Headers.

Cookie:_goji_csrf=MTQ3NTE1MjkzM3xJa2RrY0hCeU4xQkZSVEZWVUc4d1VVeG1RMWxtVkRKemFrMTRiMEpzVDNCbFdUWjNhVWN2YkVKT2JFRTlJZ289fGYBhIh1BbSLuowH9_9kE8OMMhERHRDX3sUvnJ5lVMe5; _goji_csrf=MTQ3NTE1MjkzNHxJbWRTUTNKc1oxTjNiMGhDTVdJd1RTOVlWbVpaYldWUmJWbE5aUzlGVVU5RU0zQmFPR0pqTW0xWU0yODlJZ289fCIQUKoyL7WIwS5gvwEA6O3ZPo284a2CUrXjems0ifcm;

Thanks

goji / csrf Goto Github PK

csrf's Introduction

Goji

Quick Start

Stability

Community / Contributing

csrf's People

Contributors

Stargazers

Watchers

Forkers

csrf's Issues

Supporting Goji v2 (goji.io)

Token is stored in session cookie

go get github.com/goji/csrf throwing error

How do you do secret key rotation?

Two Cookies with the same Name

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent