func Test_GenerateToken(t *testing.T) { Convey("Generate token", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer()) // Simulate login. m.Get("/login", func(sess session.Store, x CSRF) { sess.Set("uid", "123456") }) // Generate token. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) }) }
func main() { log.Printf("Orbiter %s", APP_VER) m := macaron.Classic() m.Use(macaron.Renderer(macaron.RenderOptions{ Funcs: template.NewFuncMap(), IndentJSON: macaron.Env != macaron.PROD, })) m.Use(session.Sessioner()) m.Use(context.Contexter()) bindIgnErr := binding.BindIgnErr m.Group("", func() { m.Get("/", routers.Dashboard) m.Group("/collectors", func() { m.Get("", routers.Collectors) m.Combo("/new").Get(routers.NewCollector). Post(bindIgnErr(routers.NewCollectorForm{}), routers.NewCollectorPost) m.Group("/:id", func() { m.Combo("").Get(routers.EditCollector). Post(bindIgnErr(routers.NewCollectorForm{}), routers.EditCollectorPost) m.Post("/regenerate_token", routers.RegenerateCollectorSecret) m.Post("/delete", routers.DeleteCollector) }) }) m.Group("/applications", func() { m.Get("", routers.Applications) m.Combo("/new").Get(routers.NewApplication). Post(bindIgnErr(routers.NewApplicationForm{}), routers.NewApplicationPost) m.Group("/:id", func() { m.Combo("").Get(routers.EditApplication). Post(bindIgnErr(routers.NewApplicationForm{}), routers.EditApplicationPost) m.Post("/regenerate_token", routers.RegenerateApplicationSecret) m.Post("/delete", routers.DeleteApplication) }) }) m.Group("/webhooks", func() { m.Get("", routers.Webhooks) m.Get("/:id", routers.ViewWebhook) }) m.Get("/config", routers.Config) }, context.BasicAuth()) m.Post("/hook", routers.Hook) m.Group("/api", func() { apiv1.RegisterRoutes(m) }) listenAddr := fmt.Sprintf("0.0.0.0:%d", setting.HTTPPort) log.Println("Listening on", listenAddr) log.Fatal(http.ListenAndServe(listenAddr, m)) }
func main() { m := macaron.Classic() m.Use(cache.Cacher()) // m.Use(session.Sessioner()) m.Use(session.Sessioner(session.Options{ Provider: "memory", ProviderConfig: "", CookieName: "Kfx", CookiePath: "/", Gclifetime: 3600, Maxlifetime: 3600, Secure: false, CookieLifeTime: 0, Domain: "/", IDLength: 16, Section: "session", })) m.Use(csrf.Csrfer()) m.Use(captcha.Captchaer(captcha.Options{ // 获取验证码图片的 URL 前缀,默认为 "/captcha/" URLPrefix: "/captcha/", // 表单隐藏元素的 ID 名称,默认为 "captcha_id" FieldIdName: "captcha_id", // 用户输入验证码值的元素 ID,默认为 "captcha" FieldCaptchaName: "captcha", // 验证字符的个数,默认为 6 ChallengeNums: 6, // 验证码图片的宽度,默认为 240 像素 Width: 240, // 验证码图片的高度,默认为 80 像素 Height: 80, // 验证码过期时间,默认为 600 秒 Expiration: 600, // 用于存储验证码正确值的 Cache 键名,默认为 "captcha_" CachePrefix: "captcha_", })) m.Use(renders.Renderer(renders.Options{ Directory: "templates", Extensions: []string{".html"}, Charset: "UTF-8", IndentJSON: true, IndentXML: true, HTMLContentType: "text/html", })) m.Get("/", index.Index) m.NotFound(func(r renders.Render) { r.HTML(200, "404.html", map[string]interface{}{"Title": "Home"}) }) m.Run() }
func App() *macaron.Macaron { m := macaron.Classic() DBOpen() if Config.Development == true { macaron.Env = "development" } else { macaron.Env = "production" } m.Use(session.Sessioner()) m.Use(csrf.Csrfer()) m.Use(pongo2.Pongoer(pongo2.Options{ Directory: "templates", Extensions: []string{".htm"}, })) // Serve static files from /assets m.Use(macaron.Static("assets", macaron.StaticOptions{Prefix: "assets"})) m.Use(func(c *macaron.Context) { c.Data["SiteTitle"] = Config.SiteTitle c.Data["Development"] = Config.Development c.Next() }) // Routes m.Get("/favicon.ico", func(c *macaron.Context) { c.ServeFileContent("favicon.ico") }) m.Get("/", func(c *macaron.Context) { c.Redirect("/habits") }) init := func(x string, r func(m *macaron.Macaron)) { m.Group(x, func() { r(m) }) } init("/habits", habitsInit) init("/journal", journalInit) init("/log", logInit) return m }
func newMacaron() *macaron.Macaron { m := macaron.New() m.Use(macaron.Renderer(macaron.RenderOptions{Layout: "layout", Funcs: []template.FuncMap{{ "markdown": base.Markdown, "raw": func(s string) template.HTML { return template.HTML(s) }, "momentDiff": func(t time.Time) string { return since.Since(t) }, }}})) /* m.Use(func(c *macaron.Context) { if strings.HasSuffix(c.Req.URL.Path, ".json") { color.Green("JSON") c.Req.Request.URL c.Req.URL.Path = strings.TrimSuffix(c.Req.URL.Path, ".json") c.Req.URL.RawPath = strings.TrimSuffix(c.Req.URL.RawPath, ".json") c.Req.RequestURI = c.Req.URL.RequestURI() c.Data["json"] = true } c.Next() })*/ m.Use(cache.Cacher()) m.Use(session.Sessioner()) m.Use(csrf.Csrfer()) m.Use(macaron.Static("static")) m.Use(macaron.Static("data/uploads")) m.Use(macaron.Static("data/public", macaron.StaticOptions{Prefix: "public"})) m.Use(i18n.I18n(i18n.Options{ Langs: []string{"en-US", "ru-RU"}, Names: []string{"English", "Русский"}, })) m.Use(middleware.Contexter()) return m }
// newMacaron initializes Macaron instance. func newMacaron() *macaron.Macaron { m := macaron.New() m.Use(macaron.Logger()) m.Use(macaron.Recovery()) m.Use(macaron.Static("public", macaron.StaticOptions{ SkipLogging: setting.ProdMode, }, )) m.Use(macaron.Static("raw", macaron.StaticOptions{ Prefix: "raw", SkipLogging: setting.ProdMode, })) m.Use(pongo2.Pongoer(pongo2.Options{ IndentJSON: !setting.ProdMode, })) m.Use(i18n.I18n()) m.Use(session.Sessioner()) m.Use(middleware.Contexter()) return m }
func main() { log.Debug("Starting server...") m := macaron.New() m.Use(macaron.Logger()) m.Use(macaron.Recovery()) m.Use(cache.Cacher()) m.Use(session.Sessioner(session.Options{CookieName: "s"})) m.Use(captcha.Captchaer(captcha.Options{Width: 120, Height: 40})) m.Use(macaron.Static("static", macaron.StaticOptions{Prefix: "/static"})) m.Use(pongo2.Pongoer()) //m.Use(i18n.I18n(i18n.Options{ // Langs: []string{"en-US", "zh-CN"}, // Names: []string{"English", "简体中文"}, //})) m.Use(spider.SpiderFunc()) m.Use(token.Tokener()) boot.BootStrap() router.Route(m) m.Run(boot.WebListenIP, boot.WebPort) }
// newMacaron initializes Macaron instance. func newMacaron() *macaron.Macaron { m := macaron.New() if !setting.DisableRouterLog { m.Use(macaron.Logger()) } m.Use(macaron.Recovery()) if setting.EnableGzip { m.Use(gzip.Gziper()) } if setting.Protocol == setting.FCGI { m.SetURLPrefix(setting.AppSubUrl) } m.Use(macaron.Static( path.Join(setting.StaticRootPath, "public"), macaron.StaticOptions{ SkipLogging: setting.DisableRouterLog, }, )) m.Use(macaron.Static( setting.AvatarUploadPath, macaron.StaticOptions{ Prefix: "avatars", SkipLogging: setting.DisableRouterLog, }, )) m.Use(macaron.Renderer(macaron.RenderOptions{ Directory: path.Join(setting.StaticRootPath, "templates"), Funcs: []gotmpl.FuncMap{template.Funcs}, IndentJSON: macaron.Env != macaron.PROD, })) localeNames, err := bindata.AssetDir("conf/locale") if err != nil { log.Fatal(4, "Fail to list locale files: %v", err) } localFiles := make(map[string][]byte) for _, name := range localeNames { localFiles[name] = bindata.MustAsset("conf/locale/" + name) } m.Use(i18n.I18n(i18n.Options{ SubURL: setting.AppSubUrl, Files: localFiles, CustomDirectory: path.Join(setting.CustomPath, "conf/locale"), Langs: setting.Langs, Names: setting.Names, DefaultLang: "en-US", Redirect: true, })) m.Use(cache.Cacher(cache.Options{ Adapter: setting.CacheAdapter, AdapterConfig: setting.CacheConn, Interval: setting.CacheInternal, })) m.Use(captcha.Captchaer(captcha.Options{ SubURL: setting.AppSubUrl, })) m.Use(session.Sessioner(setting.SessionConfig)) m.Use(csrf.Csrfer(csrf.Options{ Secret: setting.SecretKey, SetCookie: true, Header: "X-Csrf-Token", CookiePath: setting.AppSubUrl, })) m.Use(toolbox.Toolboxer(m, toolbox.Options{ HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{ &toolbox.HealthCheckFuncDesc{ Desc: "Database connection", Func: models.Ping, }, }, })) m.Use(middleware.Contexter()) return m }
func newMacaron() *macaron.Macaron { m := macaron.New() // DISABLE_ROUTER_LOG: 激活该选项来禁止打印路由日志 // 判断是否禁用,如果禁用则引入macaron日志 if !setting.DisableRouterLog { m.Use(macaron.Logger()) } // 引入macaron恢复机制 m.Use(macaron.Recovery()) if setting.Protocol == setting.FCGI { m.SetURLPrefix(setting.AppSubUrl) } // 设定静态资源路径 m.Use(macaron.Static( path.Join(setting.StaticRootPath, "public"), macaron.StaticOptions{ SkipLogging: setting.DisableRouterLog, }, )) m.Use(macaron.Static( setting.AvatarUploadPath, macaron.StaticOptions{ Prefix: "avatars", SkipLogging: setting.DisableRouterLog, }, )) // 设置渲染模板 m.Use(macaron.Renderer(macaron.RenderOptions{ Directory: path.Join(setting.StaticRootPath, "templates"), AppendDirectories: []string{path.Join(setting.CustomPath, "templates")}, Funcs: template.NewFuncMap(), IndentJSON: macaron.Env != macaron.PROD, })) // 指定国际化目录 localeNames, err := bindata.AssetDir("conf/locale") if err != nil { log.Fatal(4, "Fail to list locale files: %v", err) } localFiles := make(map[string][]byte) for _, name := range localeNames { localFiles[name] = bindata.MustAsset("conf/locale/" + name) } m.Use(i18n.I18n(i18n.Options{ SubURL: setting.AppSubUrl, Files: localFiles, CustomDirectory: path.Join(setting.CustomPath, "conf/locale"), Langs: setting.Langs, Names: setting.Names, DefaultLang: "en-US", Redirect: true, })) m.Use(cache.Cacher(cache.Options{ Adapter: setting.CacheAdapter, AdapterConfig: setting.CacheConn, Interval: setting.CacheInternal, })) m.Use(captcha.Captchaer(captcha.Options{ SubURL: setting.AppSubUrl, })) m.Use(session.Sessioner(setting.SessionConfig)) m.Use(csrf.Csrfer(csrf.Options{ Secret: setting.SecretKey, Cookie: setting.CSRFCookieName, SetCookie: true, Header: "X-Csrf-Token", CookiePath: setting.AppSubUrl, })) m.Use(toolbox.Toolboxer(m, toolbox.Options{ HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{ &toolbox.HealthCheckFuncDesc{ Desc: "Database connection", Func: models.Ping, }, }, })) //m.Use(context.Contexter()) return m }
func Test_PostgresProvider(t *testing.T) { Convey("Test postgres session provider", t, func() { opt := session.Options{ Provider: "postgres", ProviderConfig: "user=jiahuachen dbname=macaron port=5432 sslmode=disable", } Convey("Basic operation", func() { m := macaron.New() m.Use(session.Sessioner(opt)) m.Get("/", func(ctx *macaron.Context, sess session.Store) { sess.Set("uname", "unknwon") }) m.Get("/reg", func(ctx *macaron.Context, sess session.Store) { raw, err := sess.RegenerateId(ctx) So(err, ShouldBeNil) So(raw, ShouldNotBeNil) uname := raw.Get("uname") So(uname, ShouldNotBeNil) So(uname, ShouldEqual, "unknwon") }) m.Get("/get", func(ctx *macaron.Context, sess session.Store) { sid := sess.ID() So(sid, ShouldNotBeEmpty) raw, err := sess.Read(sid) So(err, ShouldBeNil) So(raw, ShouldNotBeNil) So(raw.Release(), ShouldBeNil) uname := sess.Get("uname") So(uname, ShouldNotBeNil) So(uname, ShouldEqual, "unknwon") So(sess.Delete("uname"), ShouldBeNil) So(sess.Get("uname"), ShouldBeNil) So(sess.Destory(ctx), ShouldBeNil) }) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/reg", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) cookie = resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/get", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) }) Convey("Regenrate empty session", func() { m := macaron.New() m.Use(session.Sessioner(opt)) m.Get("/", func(ctx *macaron.Context, sess session.Store) { raw, err := sess.RegenerateId(ctx) So(err, ShouldBeNil) So(raw, ShouldNotBeNil) So(sess.Destory(ctx), ShouldBeNil) }) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", "MacaronSession=ad2c7e3cbecfcf48; Path=/;") m.ServeHTTP(resp, req) }) Convey("GC session", func() { m := macaron.New() opt2 := opt opt2.Gclifetime = 1 m.Use(session.Sessioner(opt2)) m.Get("/", func(sess session.Store) { sess.Set("uname", "unknwon") So(sess.ID(), ShouldNotBeEmpty) uname := sess.Get("uname") So(uname, ShouldNotBeNil) So(uname, ShouldEqual, "unknwon") So(sess.Flush(), ShouldBeNil) So(sess.Get("uname"), ShouldBeNil) time.Sleep(2 * time.Second) sess.GC() So(sess.Count(), ShouldEqual, 0) }) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) }) }) }
func Test_LedisProvider(t *testing.T) { Convey("Test nodb session provider", t, func() { opt := session.Options{ Provider: "nodb", ProviderConfig: "./tmp.db", } Convey("Basic operation", func() { m := macaron.New() m.Use(session.Sessioner(opt)) m.Get("/", func(ctx *macaron.Context, sess session.Store) { sess.Set("uname", "unknwon") }) m.Get("/reg", func(ctx *macaron.Context, sess session.Store) { raw, err := sess.RegenerateId(ctx) So(err, ShouldBeNil) So(raw, ShouldNotBeNil) uname := raw.Get("uname") So(uname, ShouldNotBeNil) So(uname, ShouldEqual, "unknwon") }) m.Get("/get", func(ctx *macaron.Context, sess session.Store) { sid := sess.ID() So(sid, ShouldNotBeEmpty) raw, err := sess.Read(sid) So(err, ShouldBeNil) So(raw, ShouldNotBeNil) uname := sess.Get("uname") So(uname, ShouldNotBeNil) So(uname, ShouldEqual, "unknwon") So(sess.Delete("uname"), ShouldBeNil) So(sess.Get("uname"), ShouldBeNil) So(sess.Destory(ctx), ShouldBeNil) }) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/reg", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) cookie = resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/get", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) Convey("Regenrate empty session", func() { m.Get("/empty", func(ctx *macaron.Context, sess session.Store) { raw, err := sess.RegenerateId(ctx) So(err, ShouldBeNil) So(raw, ShouldNotBeNil) }) resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/empty", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", "MacaronSession=ad2c7e3cbecfcf486; Path=/;") m.ServeHTTP(resp, req) }) }) }) }
func Test_GenerateCookie(t *testing.T) { Convey("Generate token to Cookie", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ SetCookie: true, })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", 123456) }) // Generate cookie. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Header().Get("Set-Cookie"), ShouldContainSubstring, "_csrf") }) Convey("Generate token to custom Cookie", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ Cookie: "custom", SetCookie: true, })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", int64(123456)) }) // Generate cookie. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Header().Get("Set-Cookie"), ShouldContainSubstring, "custom") }) }
func Test_Invalid(t *testing.T) { Convey("Invalid session data type", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer()) // Simulate login. m.Get("/login", func(sess session.Store, x CSRF) { sess.Set("uid", true) }) // Generate token. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) }) Convey("Invalid request", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer()) // Simulate login. m.Get("/login", Validate, func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) So(resp.Code, ShouldEqual, http.StatusBadRequest) }) Convey("Invalid token", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer()) // Simulate login. m.Get("/login", Validate, func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) req.Header.Set("X-CSRFToken", "invalid") m.ServeHTTP(resp, req) So(resp.Code, ShouldEqual, http.StatusBadRequest) }) }
func Test_Validate(t *testing.T) { Convey("Validate token", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer()) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", 123456) }) // Generate token. m.Get("/private", func(x CSRF) string { return x.GetToken() }) m.Post("/private", Validate, func() {}) // Login to set session. resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") // Get a new token. resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) token := resp.Body.String() // Post using _csrf form value. data := url.Values{} data.Set("_csrf", token) resp = httptest.NewRecorder() req, err = http.NewRequest("POST", "/private", bytes.NewBufferString(data.Encode())) So(err, ShouldBeNil) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", com.ToStr(len(data.Encode()))) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Code, ShouldNotEqual, http.StatusBadRequest) // Post using X-CSRFToken HTTP header. resp = httptest.NewRecorder() req, err = http.NewRequest("POST", "/private", nil) So(err, ShouldBeNil) req.Header.Set("X-CSRFToken", token) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Code, ShouldNotEqual, http.StatusBadRequest) }) Convey("Validate custom token", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ Header: "X-Custom", Form: "_custom", })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", 123456) }) // Generate token. m.Get("/private", func(x CSRF) string { return x.GetToken() }) m.Post("/private", Validate, func() {}) // Login to set session. resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") // Get a new token. resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) token := resp.Body.String() // Post using _csrf form value. data := url.Values{} data.Set("_custom", token) resp = httptest.NewRecorder() req, err = http.NewRequest("POST", "/private", bytes.NewBufferString(data.Encode())) So(err, ShouldBeNil) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", com.ToStr(len(data.Encode()))) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Code, ShouldNotEqual, http.StatusBadRequest) // Post using X-Custom HTTP header. resp = httptest.NewRecorder() req, err = http.NewRequest("POST", "/private", nil) So(err, ShouldBeNil) req.Header.Set("X-Custom", token) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Code, ShouldNotEqual, http.StatusBadRequest) }) Convey("Validate token with custom error func", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ ErrorFunc: func(w http.ResponseWriter) { http.Error(w, "custom error", 422) }, })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", 123456) }) // Generate token. m.Get("/private", func(x CSRF) string { return x.GetToken() }) m.Post("/private", Validate, func() {}) // Login to set session. resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") // Get a new token. resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) // Post using _csrf form value. data := url.Values{} data.Set("_csrf", "invalid") resp = httptest.NewRecorder() req, err = http.NewRequest("POST", "/private", bytes.NewBufferString(data.Encode())) So(err, ShouldBeNil) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", com.ToStr(len(data.Encode()))) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Code, ShouldEqual, 422) So(resp.Body.String(), ShouldEqual, "custom error\n") // Post using X-CSRFToken HTTP header. resp = httptest.NewRecorder() req, err = http.NewRequest("POST", "/private", nil) So(err, ShouldBeNil) req.Header.Set("X-CSRFToken", "invalid") req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Code, ShouldEqual, 422) So(resp.Body.String(), ShouldEqual, "custom error\n") }) }
func Test_GenerateHeader(t *testing.T) { Convey("Generate token to header", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ SetHeader: true, })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", "123456") }) // Generate HTTP header. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Header().Get("X-CSRFToken"), ShouldNotBeEmpty) }) Convey("Generate token to header with origin", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ SetHeader: true, Origin: true, })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", "123456") }) // Generate HTTP header. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) req.Header.Set("Origin", "https://www.example.com") m.ServeHTTP(resp, req) So(resp.Header().Get("X-CSRFToken"), ShouldBeEmpty) }) Convey("Generate token to custom header", t, func() { m := macaron.New() m.Use(session.Sessioner()) m.Use(Csrfer(Options{ Header: "X-Custom", SetHeader: true, })) // Simulate login. m.Get("/login", func(sess session.Store) { sess.Set("uid", "123456") }) // Generate HTTP header. m.Get("/private", func() {}) resp := httptest.NewRecorder() req, err := http.NewRequest("GET", "/login", nil) So(err, ShouldBeNil) m.ServeHTTP(resp, req) cookie := resp.Header().Get("Set-Cookie") resp = httptest.NewRecorder() req, err = http.NewRequest("GET", "/private", nil) So(err, ShouldBeNil) req.Header.Set("Cookie", cookie) m.ServeHTTP(resp, req) So(resp.Header().Get("X-Custom"), ShouldNotBeEmpty) }) }