Beispiel #1
0
func (csrf *CSRFMiddleware) Handle(next clevergo.Handler) clevergo.Handler {
	return clevergo.HandlerFunc(func(ctx *clevergo.Context) {
		var trueToken string
		if ctx.Session == nil {
			err := ctx.GetSession()
			if err != nil {
				panic(err)
			}
		}

		token, err := ctx.Session.Get(csrf.SessionKey)
		if (err != nil) || (token == nil) {
			trueToken = stringutil.GenerateRandomString(csrf.Len)
		} else {
			trueToken = token.(string)
		}

		if _, safe := csrf.SafeMethods[ctx.Request.Method]; !safe {
			if (len(trueToken) != csrf.MaskLen) &&
				!ValidateCSRFToken(csrf.MaskLen, ctx.Request.PostFormValue(csrf.FormKey), trueToken) &&
				!ValidateCSRFToken(csrf.MaskLen, ctx.Request.Header.Get(csrf.HeaderKey), trueToken) {
				ctx.Response.SetStatus(http.StatusBadRequest)
				ctx.Response.SetBody(csrf.ErrorInvalid)
				return
			}
		} else {
			csrfToken := GenerateCSRFToken(csrf.MaskLen, trueToken)
			ctx.Values[csrf.Key] = csrfToken
			ctx.Session.Set(csrf.SessionKey, trueToken)
		}
		next.Handle(ctx)
	})
}
Beispiel #2
0
func (jm *JWTMiddleware) Handle(next clevergo.Handler) clevergo.Handler {
	return clevergo.HandlerFunc(func(ctx *clevergo.Context) {
		if _, canSkip := ctx.SkipMiddlewares[JWTMiddlewareID]; canSkip {
			next.Handle(ctx)
			return
		}

		// Try to get JWT raw token from URL query string.
		rawToken := ctx.Request.FormValue(jm.urlKey)
		if len(rawToken) < 0 {
			// Try to get JWT raw token from POST FORM.
			rawToken = ctx.Request.PostFormValue(jm.formKey)
			if len(rawToken) < 0 {
				// Try to get JWT raw token from Header.
				if ah := ctx.Request.Header.Get("Authorization"); ah != "" {
					// Should be a bearer token
					if len(ah) > 6 && strings.ToUpper(ah[0:7]) == "BEARER " {
						rawToken = ah[7:]
					}
				}
			}
		}

		// Check raw token is valid.
		if len(rawToken) == 0 {
			ctx.Response.Unauthorized()
			return
		}

		// Get JWT by raw token
		token, err := jwt.NewTokenByRaw(ctx.JWT(), rawToken)
		if err != nil {
			ctx.Response.Unauthorized(err.Error())
			return
		}

		// Validate JWT.
		if err = token.Validate(); err != nil {
			ctx.Response.Unauthorized(err.Error())
			return
		}

		ctx.Token = token
		// Validate successfully.
		next.Handle(ctx)
	})
}