func (ri *RequestId) Filter(req zerver.Request, resp zerver.Response, chain zerver.FilterChain) {
if req.Method() == "GET" {
chain(req, resp)
return
}
reqId := req.Header(ri.HeaderName)
if reqId == "" {
if ri.PassingOnNoId {
chain(req, resp)
} else {
resp.ReportBadRequest()
resp.Send("error", ri.Error)
}
} else {
id := req.RemoteIP() + ":" + reqId
if err := ri.Store.Save(id); err == ErrRequestIDExist {
resp.ReportForbidden()
resp.Send("error", ri.ErrorOverlap)
} else if err != nil {
ri.logger.Warnln(err)
} else {
chain(req, resp)
ri.Store.Remove(id)
}
}
}
func (x *Xsrf) VerifyFor(req zerver.Request) bool {
m := req.Method()
if !x.FilterGet && (m == "GET" || m == "HEAD" || m == "OPTIONS") {
return true
}
token := req.Header(_HEADER_XSRFTOKEN)
if token == "" {
token = req.Header(_HEADER_CSRFTOKEN)
if token == "" {
token = req.Param(_XSRF_PARAM_NAME)
if token == "" {
return false
}
}
}
data := x.verify(unsafe2.Bytes(token))
if data != nil {
x.Pool.Put(data)
t, ip, agent := x.TokenInfo.Unmarshal(data)
return t != -1 &&
t+x.Timeout >= time2.Now().Unix() &&
ip == req.RemoteIP() &&
agent == req.UserAgent()
}
return false
}
func (c *CORS) Filter(req zerver.Request, resp zerver.Response, chain zerver.FilterChain) {
reqMethod := req.Header(_CORS_REQUESTMETHOD)
reqHeaders := req.Header(_CORS_REQUESTHEADERS)
if req.Method() == "OPTIONS" && (reqMethod != "" || reqHeaders != "") {
c.preflight(req, resp, reqMethod, reqHeaders)
} else {
c.filter(req, resp, chain)
}
}
func (c *CORS) preflight(req zerver.Request, resp zerver.Response, method, headers string) {
origin := "*"
if !c.allowAll {
origin = req.Header(_CORS_ORIGIN)
if !c.allow(origin) {
resp.ReportOK()
return
}
}
resp.SetHeader(_CORS_ALLOWORIGIN, origin)
upperMethod := strings.ToUpper(method)
for _, m := range c.Methods {
if m == upperMethod {
resp.AddHeader(_CORS_ALLOWMETHODS, method)
break
}
}
for _, h := range strings2.SplitAndTrim(headers, ",") {
for _, ch := range c.Headers {
if strings.ToLower(h) == ch { // c.Headers already ToLowered when Init
resp.AddHeader(_CORS_ALLOWHEADERS, ch)
break
}
}
}
resp.SetHeader(_CORS_ALLOWCREDENTIALS, c.allowCredentials)
if c.exposeHeaders != "" {
resp.SetHeader(_CORS_EXPOSEHEADERS, c.exposeHeaders)
}
if c.preflightMaxage != "" {
resp.SetHeader(_CORS_MAXAGE, c.preflightMaxage)
}
resp.ReportOK()
}
func (c *CORS) filter(req zerver.Request, resp zerver.Response, chain zerver.FilterChain) {
origin := "*"
if !c.allowAll {
origin = req.Header(_CORS_ORIGIN)
if !c.allow(origin) {
resp.ReportForbidden()
return
}
}
resp.SetHeader(_CORS_ALLOWORIGIN, origin)
resp.SetHeader(_CORS_ALLOWMETHODS, c.methods)
resp.SetHeader(_CORS_ALLOWHEADERS, c.headers)
resp.SetHeader(_CORS_ALLOWCREDENTIALS, c.allowCredentials)
if c.exposeHeaders != "" {
resp.SetHeader(_CORS_EXPOSEHEADERS, c.exposeHeaders)
}
if c.preflightMaxage != "" {
resp.SetHeader(_CORS_MAXAGE, c.preflightMaxage)
}
chain(req, resp)
}
