func CSRFMiddleware(sessionSecret string, sessionKey string) martini.Handler {
return csrf.Generate(&csrf.Options{
Secret: sessionSecret,
SessionKey: sessionKey,
ErrorFunc: func(w http.ResponseWriter) {
http.Error(w, "CSRF token validation failed", http.StatusBadRequest)
},
})
}
func main() {
m := martini.Classic()
store := sessions.NewCookieStore([]byte("secret123"))
m.Use(render.Renderer())
m.Use(sessions.Sessions("my_session", store))
m.Use(csrf.Generate(&csrf.Options{
Secret: "token123",
SessionKey: "userID",
ErrorFunc: func(w http.ResponseWriter) {
buf, _ := ioutil.ReadFile("templates/error.html")
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(422)
fmt.Fprintln(w, string(buf))
},
}))
m.Get("/", func(s sessions.Session, r render.Render, x csrf.CSRF) {
if s.Get("userID") == nil {
r.Redirect("/login", 302)
return
}
r.HTML(200, "index", x.GetToken())
})
m.Get("/login", func(r render.Render) {
r.HTML(200, "login", nil)
})
m.Post("/login", func(s sessions.Session, r render.Render) {
s.Set("userID", "123456")
r.Redirect("/")
})
m.Post("/protected", csrf.Validate, func(s sessions.Session, r render.Render) {
if s.Get("userID") != nil {
r.HTML(200, "result", "You submitted a valid token")
return
}
r.Redirect("/login", 401)
})
m.Get("/error", func(r render.Render) {
r.HTML(200, "custom_error", nil)
})
m.Run()
}
func setMiddleware(m *martini.ClassicMartini) {
setDB(m)
m.Use(martini.Static("public"))
m.Use(render.Renderer(render.Options{
Layout: "layout",
}))
store := sessions.NewCookieStore([]byte(os.Getenv("SECRET")))
m.Use(sessions.Sessions("session", store))
m.Use(csrf.Generate(&csrf.Options{
Secret: os.Getenv("CSRF"),
SessionKey: "user",
ErrorFunc: func(res http.ResponseWriter) {
http.Error(res, "CSRF Token Failure", http.StatusUnauthorized)
},
}))
}
func main() {
m := martini.Classic()
store := sessions.NewCookieStore([]byte("secret123"))
m.Use(render.Renderer())
m.Use(sessions.Sessions("my_session", store))
// Send token as a cookie.
m.Use(csrf.Generate(&csrf.Options{
Secret: "token123",
SessionKey: "userID",
SetCookie: true,
}))
// Simulate a typical authentication example. If the user has a valid userID render index.html
// else redirect to "/login".
m.Get("/", func(s sessions.Session, r render.Render, req *http.Request, resp http.ResponseWriter) {
if u := s.Get("userID"); u == nil {
r.Redirect("/login", 302)
return
}
// Token will be generated here. Using ServeFile for lazy angular loading.
http.ServeFile(resp, req, "templates/index.html")
})
m.Get("/login", func(r render.Render) {
r.HTML(200, "login", nil)
})
// Simulate a valid login by setting a bogus session id.
m.Post("/login", func(s sessions.Session, r render.Render) {
s.Set("userID", "123456789")
r.Redirect("/", 302)
})
// csrf.Validate requires a proper token.
m.Post("/protected", csrf.Validate, func(r render.Render, s sessions.Session) {
if u := s.Get("userID"); u != nil {
r.JSON(200, map[string]interface{}{"message": "You did something that required a valid token!"})
return
}
r.JSON(401, nil)
})
m.Run()
}