Documentation ¶
Index ¶
- Variables
- func ConnectionConfig(registerURL string, scopes []string) gin.HandlerFunc
- func GetCSRFErrorMessage(r CSRFErrorReason) string
- func MustGetConnectRequest(c *gin.Context) retailcrm.ConnectRequest
- func VerifyConnectRequest(secret string) gin.HandlerFunc
- type CSRF
- type CSRFAbortFunc
- type CSRFErrorReason
- type CSRFTokenGetter
Constants ¶
This section is empty.
Variables ¶
var DefaultCSRFTokenGetter = func(c *gin.Context) string { r := c.Request if t := r.URL.Query().Get("csrf_token"); len(t) > 0 { return t } else if t := r.Header.Get("X-CSRF-Token"); len(t) > 0 { return t } else if t := r.Header.Get("X-XSRF-Token"); len(t) > 0 { return t } else if c.Request.Body != nil { data, _ := ioutil.ReadAll(c.Request.Body) c.Request.Body = ioutil.NopCloser(bytes.NewReader(data)) t := r.FormValue("csrf_token") c.Request.Body = ioutil.NopCloser(bytes.NewReader(data)) if len(t) > 0 { return t } } return "" }
DefaultCSRFTokenGetter default getter.
var DefaultIgnoredMethods = []string{"GET", "HEAD", "OPTIONS"}
DefaultIgnoredMethods ignored methods for CSRF verifier middleware.
Functions ¶
func ConnectionConfig ¶
func ConnectionConfig(registerURL string, scopes []string) gin.HandlerFunc
ConnectionConfig returns middleware for the one-step connection configuration route.
func GetCSRFErrorMessage ¶
func GetCSRFErrorMessage(r CSRFErrorReason) string
GetCSRFErrorMessage returns generic error message for CSRFErrorReason in English (useful for logs).
func MustGetConnectRequest ¶
func MustGetConnectRequest(c *gin.Context) retailcrm.ConnectRequest
MustGetConnectRequest will extract retailcrm.ConnectRequest from the request context.
func VerifyConnectRequest ¶
func VerifyConnectRequest(secret string) gin.HandlerFunc
VerifyConnectRequest will verify ConnectRequest and place it into the "request" context field.
Types ¶
type CSRF ¶
type CSRF struct {
// contains filtered or unexported fields
}
CSRF struct. Provides CSRF token verification.
func NewCSRF ¶
func NewCSRF( salt, secret, sessionName string, store sessions.Store, abortFunc CSRFAbortFunc, csrfTokenGetter CSRFTokenGetter, ) *CSRF
NewCSRF creates CSRF struct with specified configuration and session store. GenerateCSRFMiddleware and VerifyCSRFMiddleware returns CSRF middlewares. Salt must be different every time (pass empty salt to use random), secret must be provided, sessionName is optional - pass empty to use default, store will be used to store sessions, abortFunc will be called to return error if token is invalid, csrfTokenGetter will be used to obtain token.
Usage (with random salt):
core.NewCSRF("", "super secret", "csrf_session", store, func (c *gin.Context, reason core.CSRFErrorReason) { c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid CSRF token"}) }, core.DefaultCSRFTokenGetter)
Note for csrfTokenGetter: if you want to read token from request body (for example, from form field) - don't forget to restore Body data!
Body in http.Request is io.ReadCloser instance. Reading CSRF token from form like that:
if t := r.FormValue("csrf_token"); len(t) > 0 { return t }
will close body - and all next middlewares won't be able to read body at all!
Use DefaultCSRFTokenGetter as example to implement your own token getter. CSRFErrorReason will be passed to abortFunc and can be used for better error messages.
func (*CSRF) CSRFFromContext ¶
CSRFFromContext returns csrf token or random token. It shouldn't return empty string because it will make csrf protection useless. e.g. any request without token will work fine, which is unacceptable.
func (*CSRF) GenerateCSRFMiddleware ¶
func (x *CSRF) GenerateCSRFMiddleware() gin.HandlerFunc
GenerateCSRFMiddleware returns gin.HandlerFunc which will generate CSRF token Usage:
engine := gin.New() csrf := NewCSRF("salt", "secret", "not_found", "incorrect", localizer) engine.Use(csrf.GenerateCSRFMiddleware())
func (*CSRF) VerifyCSRFMiddleware ¶
func (x *CSRF) VerifyCSRFMiddleware(ignoredMethods []string) gin.HandlerFunc
VerifyCSRFMiddleware verifies CSRF token Usage:
engine := gin.New() engine.Use(csrf.VerifyCSRFMiddleware())
type CSRFAbortFunc ¶
type CSRFAbortFunc func(*gin.Context, CSRFErrorReason)
CSRFAbortFunc is a callback which.
type CSRFErrorReason ¶
type CSRFErrorReason uint8
CSRFErrorReason is a error reason type.
const ( // CSRFErrorNoTokenInSession will be returned if token is not present in session. CSRFErrorNoTokenInSession CSRFErrorReason = iota // CSRFErrorCannotStoreTokenInSession will be returned if middleware cannot store token in session. CSRFErrorCannotStoreTokenInSession // CSRFErrorIncorrectTokenType will be returned if data type of token in session is not string. CSRFErrorIncorrectTokenType // CSRFErrorEmptyToken will be returned if token in session is empty. CSRFErrorEmptyToken // CSRFErrorTokenMismatch will be returned in case of invalid token. CSRFErrorTokenMismatch )