Beispiel #1
0
func CSRFMiddleware(sessionSecret string, sessionKey string) martini.Handler {
	return csrf.Generate(&csrf.Options{
		Secret:     sessionSecret,
		SessionKey: sessionKey,
		ErrorFunc: func(w http.ResponseWriter) {
			http.Error(w, "CSRF token validation failed", http.StatusBadRequest)
		},
	})
}
Beispiel #2
0
func main() {
	m := martini.Classic()
	store := sessions.NewCookieStore([]byte("secret123"))
	m.Use(render.Renderer())
	m.Use(sessions.Sessions("my_session", store))
	m.Use(csrf.Generate(&csrf.Options{
		Secret:     "token123",
		SessionKey: "userID",
		ErrorFunc: func(w http.ResponseWriter) {
			buf, _ := ioutil.ReadFile("templates/error.html")
			w.Header().Set("Content-Type", "text/html; charset=utf-8")
			w.WriteHeader(422)
			fmt.Fprintln(w, string(buf))
		},
	}))

	m.Get("/", func(s sessions.Session, r render.Render, x csrf.CSRF) {
		if s.Get("userID") == nil {
			r.Redirect("/login", 302)
			return
		}
		r.HTML(200, "index", x.GetToken())
	})

	m.Get("/login", func(r render.Render) {
		r.HTML(200, "login", nil)
	})

	m.Post("/login", func(s sessions.Session, r render.Render) {
		s.Set("userID", "123456")
		r.Redirect("/")
	})

	m.Post("/protected", csrf.Validate, func(s sessions.Session, r render.Render) {
		if s.Get("userID") != nil {
			r.HTML(200, "result", "You submitted a valid token")
			return
		}
		r.Redirect("/login", 401)
	})

	m.Get("/error", func(r render.Render) {
		r.HTML(200, "custom_error", nil)
	})

	m.Run()

}
Beispiel #3
0
func setMiddleware(m *martini.ClassicMartini) {
	setDB(m)
	m.Use(martini.Static("public"))
	m.Use(render.Renderer(render.Options{
		Layout: "layout",
	}))
	store := sessions.NewCookieStore([]byte(os.Getenv("SECRET")))
	m.Use(sessions.Sessions("session", store))
	m.Use(csrf.Generate(&csrf.Options{
		Secret:     os.Getenv("CSRF"),
		SessionKey: "user",
		ErrorFunc: func(res http.ResponseWriter) {
			http.Error(res, "CSRF Token Failure", http.StatusUnauthorized)
		},
	}))
}
Beispiel #4
0
func main() {
	m := martini.Classic()
	store := sessions.NewCookieStore([]byte("secret123"))
	m.Use(render.Renderer())
	m.Use(sessions.Sessions("my_session", store))
	// Send token as a cookie.
	m.Use(csrf.Generate(&csrf.Options{
		Secret:     "token123",
		SessionKey: "userID",
		SetCookie:  true,
	}))

	// Simulate a typical authentication example. If the user has a valid userID render index.html
	// else redirect to "/login".
	m.Get("/", func(s sessions.Session, r render.Render, req *http.Request, resp http.ResponseWriter) {
		if u := s.Get("userID"); u == nil {
			r.Redirect("/login", 302)
			return
		}
		// Token will be generated here. Using ServeFile for lazy angular loading.
		http.ServeFile(resp, req, "templates/index.html")
	})

	m.Get("/login", func(r render.Render) {
		r.HTML(200, "login", nil)
	})

	// Simulate a valid login by setting a bogus session id.
	m.Post("/login", func(s sessions.Session, r render.Render) {
		s.Set("userID", "123456789")
		r.Redirect("/", 302)
	})

	// csrf.Validate requires a proper token.
	m.Post("/protected", csrf.Validate, func(r render.Render, s sessions.Session) {
		if u := s.Get("userID"); u != nil {
			r.JSON(200, map[string]interface{}{"message": "You did something that required a valid token!"})
			return
		}
		r.JSON(401, nil)
	})

	m.Run()
}