func (x *Xsrf) VerifyFor(req zerver.Request) bool { m := req.ReqMethod() if !x.FilterGet && (m == zerver.METHOD_GET || m == zerver.METHOD_HEAD || m == zerver.METHOD_OPTIONS) { return true } token := req.GetHeader(_HEADER_XSRFTOKEN) if token == "" { token = req.GetHeader(_HEADER_CSRFTOKEN) if token == "" { token = req.Vars().QueryVar(_XSRF_PARAM_NAME) if token == "" { return false } } } data := x.verify(unsafe2.Bytes(token)) if data != nil { x.Pool.Put(data) t, ip := x.TokenInfo.Unmarshal(data) return t != -1 && t+x.Timeout >= time2.Now().Unix() && ip == http2.IpOfAddr(req.RemoteAddr()) } return false }
func (ri *RequestId) Filter(req zerver.Request, resp zerver.Response, chain zerver.FilterChain) { if req.ReqMethod() == zerver.METHOD_GET { chain(req, resp) return } reqId := req.GetHeader(ri.HeaderName) if reqId == "" { if ri.PassingOnNoId { chain(req, resp) } else { resp.StatusCode(http.StatusBadRequest) } } else { ip := http2.IpOfAddr(req.RemoteAddr()) id := ip + ":" + reqId if err := ri.Store.Save(id); err == ErrRequestIDExist { resp.StatusCode(http.StatusForbidden) } else if err != nil { ri.log.Warn(log.M{"msg": "save request id failed", "err": err.Error()}) } else { chain(req, resp) ri.Store.Remove(id) } } }
func (x *Xsrf) CreateFor(req zerver.Request) ([]byte, error) { bs, err := x.TokenInfo.Marshal(time2.Now().Unix(), http2.IpOfAddr(req.RemoteAddr())) if err == nil { return x.sign(bs), nil } return nil, err }