martini-contrib / csrf Goto Github PK
View Code? Open in Web Editor NEWCSRF protection for Martini applications
License: MIT License
csrf's People
Contributors
Stargazers
Watchers
Forkers
rverton hongzhen usercenter conradirwin tommyp1ckles ymohii jaredfolkins philsong guoyu07 libra9z charygaocsrf's Issues
Chrome Bug
Origin header not empty after post and contains "null". Because of this, after the post request, the token is not generated.
https://github.com/martini-contrib/csrf/blob/master/csrf.go#L213
I have modified the example:
server.go
// Simple example using Martini Render HTML templates.
// Passes the csrf.Token to the template that then
// places it in a hidden _csrf input.
package main
import (
"fmt"
"io/ioutil"
"net/http"
"github.com/go-martini/martini"
"github.com/martini-contrib/csrf"
"github.com/martini-contrib/render"
"github.com/martini-contrib/sessions"
)
func main() {
m := martini.Classic()
store := sessions.NewCookieStore([]byte("secret123"))
m.Use(render.Renderer())
m.Use(sessions.Sessions("my_session", store))
m.Use(csrf.Generate(&csrf.Options{
Secret: "token123",
SessionKey: "userID",
ErrorFunc: func(w http.ResponseWriter) {
buf, _ := ioutil.ReadFile("templates/error.html")
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(422)
fmt.Fprintln(w, string(buf))
},
}))
m.Get("/", func(s sessions.Session, r render.Render, x csrf.CSRF) {
if s.Get("userID") == nil {
r.Redirect("/login", 302)
return
}
r.HTML(200, "index", x.GetToken())
})
m.Get("/login", func(r render.Render) {
r.HTML(200, "login", nil)
})
m.Post("/login", func(s sessions.Session, r render.Render) {
s.Set("userID", "123456")
r.Redirect("/")
})
m.Post("/protected", csrf.Validate, func(s sessions.Session, r render.Render, x csrf.CSRF) {
if s.Get("userID") != nil {
r.HTML(200, "result", "You submitted a valid token. New token = " + x.GetToken())
// show form after post (Made for example, wrong)
r.HTML(200, "index", x.GetToken())
return
}
r.Redirect("/login", 401)
})
m.Get("/error", func(r render.Render) {
r.HTML(200, "custom_error", nil)
})
m.Run()
}index.tmpl
<html>
<head>
<title>Martini CSRF</title>
</head>
<body>
<p>The form contains a hidden _csrf form value that will be submitted with this form.</p>
<!-- show token -->
<p>Token: {{.}}</p>
<form action="/protected" method="post">
<input type="text" name="foo" placeholder="CC Number">
<input type="text" name="bar" placeholder="Amount">
<input type="hidden" name="_csrf" value="{{.}}">
<input type="submit" value="Submit">
</form>
</body>
</html>Debug on csrf.go:
"Generate BEFORE Origin - " + r.Header.Get("Origin") + " - " + r.Host
After get:
After post:
Tokens not generated on POST requests
I have index.html which contains couple of forms that POST to the current URL. This doesn't work because of the following code in csrf.go:
if r.Method != "GET" || r.Header.Get("Origin") != "" {
return
}
Is there any particular reason for this, performance wise it shouldn't make that much difference. Can this be removed?
Error when using CSRF with multipartform
I got a multipart form using csrf with binding and I'm getting validation error with error array populated with the following error:
[{"classification":"DeserializationError","message":"http: multipart handled by ParseMultipartForm"}]
It's like xsrftoken is modifying the form in some way causing ParseMultipartForm() not to like it.
how to pass the token to template context automaticly?
the token is generated while request is Get ,that's fine,how do get rid of passing token to template context mamuly in request handler,so I just need to put it in tempate.
Token is generated only on session creation
Something ive noticed when testing this middleware that the token isnt generated unless there is a cookie containing a session. Any reason why?
Update package to use the github.com/go-martini/martini import path
Martini has moved to the go-martini github org. Make sure this package uses the new martini import path.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.