// WebsocketHandler handles an incoming WebSocket and dispatches to the correct // handler based on whether the user is authenticated and whether the session // he's viewing belongs to him. func WebsocketHandler(s *websocket.Conn, dbStore *Store, sessionStore sessions.Store, redisAddr string) { StatCount("websocket", 1) xlog.Infof("WebsocketHandler: opened connection") r := s.Request() session, err := sessionStore.Get(r, SESSIONNAME) if err != nil { xlog.Debugf("Getting session failed: %v", err) StatCount("getting session failed", 1) return } sessionData := struct { SessionID string `json:"session_id"` }{} if err := websocket.JSON.Receive(s, &sessionData); err != nil { xlog.Errorf("WebsocketHandler: JSON.Receive failed: %v", err) return } owner, sessionID, err := dbStore.GetOwnerForSession(sessionData.SessionID) if err != nil { xlog.Errorf("GetOwnerForSession failed: %v", err) return } if session.Values["userID"] == nil { xlog.Errorf("WebsocketHandler is not authenticated -> slave handler") slaveHandler(s, sessionID, dbStore, redisAddr) } else if owner == session.Values["userID"].(int) { xlog.Infof("WebSocketHandler owner matches -> master handler") masterHandler(s, sessionID, dbStore, redisAddr) } else { xlog.Infof("WebSocketHandler owner doesn't match -> slave handler") slaveHandler(s, sessionID, dbStore, redisAddr) } }
func VerifyXSRFToken(w http.ResponseWriter, r *http.Request, sessionStore sessions.Store, secureCookie *securecookie.SecureCookie) bool { xsrftoken := r.Header.Get(XSRFTOKENHEADER) userID := "" err := secureCookie.Decode(XSRFTOKEN, xsrftoken, &userID) if err == nil { session, _ := sessionStore.Get(r, SESSIONNAME) if userID != "" && userID == session.Values["username"].(string) { xlog.Infof("XSRF verification success for user %s", session.Values["username"].(string)) return true } xlog.Errorf("XSRF issue: userID = %s session = %s", userID, session.Values["username"].(string)) } xlog.Errorf("XSRF verification failed: %v (Request: %#v", err, *r) http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) StatCount("XSRF verification failed", 1) return false }