csrf

var (
	// ErrNoReferer is returned when a HTTPS request provides an empty Referer
	// header.
	ErrNoReferer = errors.New("referer not supplied")
	// ErrBadReferer is returned when the scheme & host in the URL do not match
	// the supplied Referer header.
	ErrBadReferer = errors.New("referer invalid")
	// ErrNoToken is returned if no CSRF token is supplied in the request.
	ErrNoToken = errors.New("CSRF token not found in request")
	// ErrBadToken is returned if the CSRF token in the request does not match
	// the token in the session, or is otherwise malformed.
	ErrBadToken = errors.New("CSRF token invalid")
)

var New = func(next buffalo.Handler) buffalo.Handler {

	if envy.Get("GO_ENV", "development") == "test" {
		return func(c buffalo.Context) error {
			c.Logger().Warn("csrf middleware is running in test mode")
			c.Set(tokenKey, "test")
			return next(c)
		}
	}

	return func(c buffalo.Context) error {
		req := c.Request()

		var realToken []byte
		var err error
		rawRealToken := c.Session().Get(tokenKey)

		if rawRealToken == nil || len(rawRealToken.([]byte)) != tokenLength {

			realToken, err = generateRandomBytes(tokenLength)
			if err != nil {
				return err
			}

			c.Session().Set(tokenKey, realToken)
		} else {
			realToken = rawRealToken.([]byte)
		}

		c.Set(fieldName, mask(realToken, req))

		if !contains(safeMethods, req.Method) {

			if req.URL.Scheme == "https" {

				referer, err := url.Parse(req.Referer())
				if err != nil || referer.String() == "" {
					return c.Error(http.StatusForbidden, ErrNoReferer)
				}

				if !sameOrigin(req.URL, referer) {
					return c.Error(http.StatusForbidden, ErrBadReferer)
				}
			}

			requestToken := unmask(requestCSRFToken(req))

			if requestToken == nil {
				return c.Error(http.StatusForbidden, ErrNoToken)
			}

			if !compareTokens(requestToken, realToken) {
				return c.Error(http.StatusForbidden, ErrBadToken)
			}
		}

		return next(c)
	}
}