diff options
| author | Brian Picciano <mediocregopher@gmail.com> | 2022-05-24 17:42:00 -0600 |
|---|---|---|
| committer | Brian Picciano <mediocregopher@gmail.com> | 2022-05-24 17:42:00 -0600 |
| commit | 08811a6da78c3f1f973b8f50a337ff4dc4ed9e2c (patch) | |
| tree | 3fc8fa9025dbdc8099ea145e232f8b25547204b5 /srv/src/http/csrf.go | |
| parent | 159638084e167047b86fd65382f50cd099d4eb48 (diff) | |
Replace CSRF token checking with Referer checking
Diffstat (limited to 'srv/src/http/csrf.go')
| -rw-r--r-- | srv/src/http/csrf.go | 64 |
1 files changed, 7 insertions, 57 deletions
diff --git a/srv/src/http/csrf.go b/srv/src/http/csrf.go index 7a45269..d0f7b6a 100644 --- a/srv/src/http/csrf.go +++ b/srv/src/http/csrf.go @@ -3,76 +3,26 @@ package http import ( "errors" "net/http" + "net/url" "github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil" ) -const ( - csrfTokenCookieName = "csrf_token" - csrfTokenHeaderName = "X-CSRF-Token" - csrfTokenFormName = "csrfToken" -) - -func setCSRFMiddleware(h http.Handler) http.Handler { - return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { - - csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "") - - if err != nil { - apiutil.InternalServerError(rw, r, err) - return - - } else if csrfTok == "" { - http.SetCookie(rw, &http.Cookie{ - Name: csrfTokenCookieName, - Value: apiutil.RandStr(32), - Secure: true, - }) - } - - h.ServeHTTP(rw, r) - }) -} - -func checkCSRFMiddleware(h http.Handler) http.Handler { +func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { - csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "") - + refererURL, err := url.Parse(r.Referer()) if err != nil { - apiutil.InternalServerError(rw, r, err) + apiutil.BadRequest(rw, r, errors.New("invalid Referer")) return } - givenCSRFTok := r.Header.Get(csrfTokenHeaderName) - if givenCSRFTok == "" { - givenCSRFTok = r.FormValue(csrfTokenFormName) - } - - if csrfTok == "" || givenCSRFTok != csrfTok { - apiutil.BadRequest(rw, r, errors.New("invalid CSRF token")) + if refererURL.Scheme != a.params.PublicURL.Scheme || + refererURL.Host != a.params.PublicURL.Host { + apiutil.BadRequest(rw, r, errors.New("invalid Referer")) return } h.ServeHTTP(rw, r) }) } - -func (a *api) getCSRFTokenHandler() http.Handler { - - return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { - - csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "") - - if err != nil { - apiutil.InternalServerError(rw, r, err) - return - } - - apiutil.JSONResult(rw, r, struct { - CSRFToken string - }{ - CSRFToken: csrfTok, - }) - }) -} |