gxsrf

package module
v0.0.0-...-f34d141 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 11, 2015 License: MIT Imports: 6 Imported by: 0

README

Build Status

Overview

GXSRF is a flexible library for preventing XSRF attacks on a web application for golang.

example usage

it is split into a few pieces to promote flexibility on the backend.

  • tokens - the tokens themselves, based around an interface so new ways of generating tokens are easy to add.
  • storage - storage mechanism (default is session)
  • stores - Backends to the session storage (currently supports file, cookie, and lockfree cookie storage backends) Can use 3rd party backends like redis
  • csrf - pulls the three other pieces together to prevent XSRF attacks.
// Default implementation is a SHA256 token of a secret and a random set of bytes
type Token interface {
	// Generates a token
	// the result is a hex encoded []byte
	// that can be checked by the Authenticate
	// method.
	Generate() string

	// Authenticate should take in the encoded token
	// and determine if it is a valid value.
	Authenticate(string) bool
}

// Implement this interface for new ways of storing tokens.
type TokenStorage interface {
	// load the token from the request.
	Load(*http.Request) (Token, error)

	// replaces the current token
	// with a newly generated token.
	// if for some reason it is impossible
	// to generate a token it should panic.
	NewToken(http.ResponseWriter, *http.Request) Token
}

Installation

# Testing Packages
go get -t github.com/onsi/ginkgo/ginkgo
go get -t github.com/onsi/gomega

# Dependencies
# These dependencies are used by the session TokenStorage implementation
# which may be moved to its own repository someday.
go get github.com/gorilla/securecookie
go get github.com/gorilla/sessions

# Execute tests
ginkgo -r

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DefaultCookieToken = http.Cookie{
	Name:   "XSRF-TOKEN",
	Path:   "/",
	MaxAge: int((24 * time.Hour) / time.Second),
}

Functions

This section is empty.

Types

type Authenticator 

type Authenticator struct {
	// Names for Header and Form fields to check
	Header, Form string

	http.Handler
	utils.FailureHandler
}

An Authenticator is responsible for pulling the token out of the given http request.

func (Authenticator) Authenticate 

func (t Authenticator) Authenticate(token tokens.Token, w http.ResponseWriter, r *http.Request)

type Config 

type Config struct {
	// Names for Header and Form fields to check
	Header, Form string

	// CSRF cookie token for use by javascript libraries.
	CookieToken http.Cookie

	// responsible for storing a token safely
	// and generating new tokens.
	tokens.TokenStorage

	// Matchers that short circuit the request before
	// we check the token.
	ShortCircuit []matchers.RequestMatcherFactory

	// Handler for failures
	utils.FailureHandler
}

func DefaultSessionXSRF 

func DefaultSessionXSRF() Config

func (Config) CheckToken 

func (t Config) CheckToken(next http.Handler) http.Handler

type Csrf 

type Csrf struct {
	CookieToken http.Cookie
	tokens.TokenStorage
	ShortCircuit []matchers.RequestMatcher
	Authenticator
}

func (Csrf) ServeHTTP 

func (t Csrf) ServeHTTP(w http.ResponseWriter, r *http.Request)

type Token 

type Token tokens.Token

Expose interfaces to the world

type TokenStorage 

type TokenStorage tokens.TokenStorage

Source Files

View all Source files

Directories

Path Synopsis
Demonstrates simple usage +build ignore
 Demonstrates simple usage +build ignore

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.