middleware

package

v2.7.4 Latest Latest Go to latest Published: Apr 17, 2024 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/retailcrm/mg-transport-core

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func ConnectionConfig(registerURL string, scopes []string) gin.HandlerFunc
func GetCSRFErrorMessage(r CSRFErrorReason) string
func MustGetConnectRequest(c *gin.Context) retailcrm.ConnectRequest
func VerifyConnectRequest(secret string) gin.HandlerFunc
type CSRF
- func NewCSRF(salt, secret, sessionName string, store sessions.Store, ...) *CSRF
type CSRFAbortFunc
type CSRFErrorReason
type CSRFTokenGetter

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultCSRFTokenGetter = func(c *gin.Context) string {
	r := c.Request

	if t := r.URL.Query().Get("csrf_token"); len(t) > 0 {
		return t
	} else if t := r.Header.Get("X-CSRF-Token"); len(t) > 0 {
		return t
	} else if t := r.Header.Get("X-XSRF-Token"); len(t) > 0 {
		return t
	} else if c.Request.Body != nil {
		data, _ := ioutil.ReadAll(c.Request.Body)
		c.Request.Body = ioutil.NopCloser(bytes.NewReader(data))
		t := r.FormValue("csrf_token")
		c.Request.Body = ioutil.NopCloser(bytes.NewReader(data))

		if len(t) > 0 {
			return t
		}
	}

	return ""
}

DefaultCSRFTokenGetter default getter.

View Source

var DefaultIgnoredMethods = []string{"GET", "HEAD", "OPTIONS"}

DefaultIgnoredMethods ignored methods for CSRF verifier middleware.

Functions ¶

func ConnectionConfig ¶

func ConnectionConfig(registerURL string, scopes []string) gin.HandlerFunc

ConnectionConfig returns middleware for the one-step connection configuration route.

func GetCSRFErrorMessage ¶

func GetCSRFErrorMessage(r CSRFErrorReason) string

GetCSRFErrorMessage returns generic error message for CSRFErrorReason in English (useful for logs).

func MustGetConnectRequest ¶

func MustGetConnectRequest(c *gin.Context) retailcrm.ConnectRequest

MustGetConnectRequest will extract retailcrm.ConnectRequest from the request context.

func VerifyConnectRequest ¶

func VerifyConnectRequest(secret string) gin.HandlerFunc

VerifyConnectRequest will verify ConnectRequest and place it into the "request" context field.

Types ¶

type CSRF ¶

type CSRF struct {
	// contains filtered or unexported fields
}

CSRF struct. Provides CSRF token verification.

func NewCSRF ¶

func NewCSRF(
	salt, secret, sessionName string,
	store sessions.Store,
	abortFunc CSRFAbortFunc,
	csrfTokenGetter CSRFTokenGetter,
) *CSRF

NewCSRF creates CSRF struct with specified configuration and session store. GenerateCSRFMiddleware and VerifyCSRFMiddleware returns CSRF middlewares. Salt must be different every time (pass empty salt to use random), secret must be provided, sessionName is optional - pass empty to use default, store will be used to store sessions, abortFunc will be called to return error if token is invalid, csrfTokenGetter will be used to obtain token.

Usage (with random salt):

core.NewCSRF("", "super secret", "csrf_session", store, func (c *gin.Context, reason core.CSRFErrorReason) {
	c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid CSRF token"})
}, core.DefaultCSRFTokenGetter)

Note for csrfTokenGetter: if you want to read token from request body (for example, from form field) - don't forget to restore Body data!

Body in http.Request is io.ReadCloser instance. Reading CSRF token from form like that:

if t := r.FormValue("csrf_token"); len(t) > 0 {
	return t
}

will close body - and all next middlewares won't be able to read body at all!

Use DefaultCSRFTokenGetter as example to implement your own token getter. CSRFErrorReason will be passed to abortFunc and can be used for better error messages.

func (*CSRF) CSRFFromContext ¶

func (x *CSRF) CSRFFromContext(c *gin.Context) string

CSRFFromContext returns csrf token or random token. It shouldn't return empty string because it will make csrf protection useless. e.g. any request without token will work fine, which is unacceptable.

func (*CSRF) GenerateCSRFMiddleware ¶

func (x *CSRF) GenerateCSRFMiddleware() gin.HandlerFunc

GenerateCSRFMiddleware returns gin.HandlerFunc which will generate CSRF token Usage:

engine := gin.New()
csrf := NewCSRF("salt", "secret", "not_found", "incorrect", localizer)
engine.Use(csrf.GenerateCSRFMiddleware())

func (*CSRF) VerifyCSRFMiddleware ¶

func (x *CSRF) VerifyCSRFMiddleware(ignoredMethods []string) gin.HandlerFunc

VerifyCSRFMiddleware verifies CSRF token Usage:

engine := gin.New()
engine.Use(csrf.VerifyCSRFMiddleware())

type CSRFAbortFunc ¶

type CSRFAbortFunc func(*gin.Context, CSRFErrorReason)

CSRFAbortFunc is a callback which.

type CSRFErrorReason ¶

type CSRFErrorReason uint8

CSRFErrorReason is a error reason type.

const (
	// CSRFErrorNoTokenInSession will be returned if token is not present in session.
	CSRFErrorNoTokenInSession CSRFErrorReason = iota

	// CSRFErrorCannotStoreTokenInSession will be returned if middleware cannot store token in session.
	CSRFErrorCannotStoreTokenInSession

	// CSRFErrorIncorrectTokenType will be returned if data type of token in session is not string.
	CSRFErrorIncorrectTokenType

	// CSRFErrorEmptyToken will be returned if token in session is empty.
	CSRFErrorEmptyToken

	// CSRFErrorTokenMismatch will be returned in case of invalid token.
	CSRFErrorTokenMismatch
)

type CSRFTokenGetter ¶

type CSRFTokenGetter func(*gin.Context) string

CSRFTokenGetter func type.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL