martini-contrib / csrf Goto Github PK
View Code? Open in Web Editor NEWCSRF protection for Martini applications
License: MIT License
CSRF protection for Martini applications
License: MIT License
Origin header not empty after post and contains "null". Because of this, after the post request, the token is not generated.
https://github.com/martini-contrib/csrf/blob/master/csrf.go#L213
I have modified the example:
server.go
// Simple example using Martini Render HTML templates.
// Passes the csrf.Token to the template that then
// places it in a hidden _csrf input.
package main
import (
"fmt"
"io/ioutil"
"net/http"
"github.com/go-martini/martini"
"github.com/martini-contrib/csrf"
"github.com/martini-contrib/render"
"github.com/martini-contrib/sessions"
)
func main() {
m := martini.Classic()
store := sessions.NewCookieStore([]byte("secret123"))
m.Use(render.Renderer())
m.Use(sessions.Sessions("my_session", store))
m.Use(csrf.Generate(&csrf.Options{
Secret: "token123",
SessionKey: "userID",
ErrorFunc: func(w http.ResponseWriter) {
buf, _ := ioutil.ReadFile("templates/error.html")
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(422)
fmt.Fprintln(w, string(buf))
},
}))
m.Get("/", func(s sessions.Session, r render.Render, x csrf.CSRF) {
if s.Get("userID") == nil {
r.Redirect("/login", 302)
return
}
r.HTML(200, "index", x.GetToken())
})
m.Get("/login", func(r render.Render) {
r.HTML(200, "login", nil)
})
m.Post("/login", func(s sessions.Session, r render.Render) {
s.Set("userID", "123456")
r.Redirect("/")
})
m.Post("/protected", csrf.Validate, func(s sessions.Session, r render.Render, x csrf.CSRF) {
if s.Get("userID") != nil {
r.HTML(200, "result", "You submitted a valid token. New token = " + x.GetToken())
// show form after post (Made for example, wrong)
r.HTML(200, "index", x.GetToken())
return
}
r.Redirect("/login", 401)
})
m.Get("/error", func(r render.Render) {
r.HTML(200, "custom_error", nil)
})
m.Run()
}
index.tmpl
<html>
<head>
<title>Martini CSRF</title>
</head>
<body>
<p>The form contains a hidden _csrf form value that will be submitted with this form.</p>
<!-- show token -->
<p>Token: {{.}}</p>
<form action="/protected" method="post">
<input type="text" name="foo" placeholder="CC Number">
<input type="text" name="bar" placeholder="Amount">
<input type="hidden" name="_csrf" value="{{.}}">
<input type="submit" value="Submit">
</form>
</body>
</html>
Debug on csrf.go:
"Generate BEFORE Origin - " + r.Header.Get("Origin") + " - " + r.Host
I have index.html which contains couple of forms that POST to the current URL. This doesn't work because of the following code in csrf.go:
if r.Method != "GET" || r.Header.Get("Origin") != "" {
return
}
Is there any particular reason for this, performance wise it shouldn't make that much difference. Can this be removed?
I got a multipart form using csrf with binding and I'm getting validation error with error array populated with the following error:
[{"classification":"DeserializationError","message":"http: multipart handled by ParseMultipartForm"}]
It's like xsrftoken is modifying the form in some way causing ParseMultipartForm() not to like it.
the token is generated while request is Get ,that's fine,how do get rid of passing token to template context mamuly in request handler,so I just need to put it in tempate.
Something ive noticed when testing this middleware that the token isnt generated unless there is a cookie containing a session. Any reason why?
Martini has moved to the go-martini github org. Make sure this package uses the new martini import path.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.