Documentation ¶
Overview ¶
Package routes is a commen place to put all applicatioin routes. In order to easy setup routes for application and testing.
Index ¶
- func DefaultMiddleware(logger log.Logger) func(http.Handler) http.Handler
- func ETag(h http.Handler) http.Handler
- func ForceHeader(ctx context.Context) (h http.Header)
- func GoListenAndServe(config Config, logger log.Logger, handler http.Handler) io.Closer
- func IdMiddleware(handler http.Handler) http.Handler
- func ListenAndServe(config Config, logger log.Logger, handler http.Handler)
- func LogRequest(h http.Handler) http.Handler
- func RecoverAndSetStatusCode(statusCode *int)
- func Recovery(h http.Handler) http.Handler
- func WithHeader(h http.Handler) http.Handler
- type Config
- type CrossSiteConfig
- type Middleware
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ETag ¶
ETag is http.Handler that will, for `GET` requests:
- Calculate ETag as md5(body)
- Add ETag HTTP header to response
- If client sends `If-None-Match` header with matching ETag, discard body and respond with `304 Not Modified` on any `200 OK` responses
func GoListenAndServe ¶
GoListenAndServe will start a HTTP server, on a separate goroutine, on config.Addr, using handler to handle requests.
Returns an io.Closer that can be used to terminate the HTTP server. The closer will block with the same semantics as net/http.Server.Shutdown (https://godoc.org/net/http#Server.Shutdown)
func IdMiddleware ¶
idMiddleware is middleware that has no effect, useful for optional middleware, instead of returning a custom function every time.
func ListenAndServe ¶
ListenAndServe will start a HTTP server on config.Addr, using handler to handle requests. This function will never return.
func LogRequest ¶
Will absorb panics in earlier Middleware. Times the request and logs the result.
func RecoverAndSetStatusCode ¶
func RecoverAndSetStatusCode(statusCode *int)
Types ¶
type CrossSiteConfig ¶
type CrossSiteConfig struct { // RawAllowedOrigins is comma-separated list of hosts (with // `https://` prefix) that are allowed to make requests to the // server. Used to reject requests for CSRF, and to control // browser behaviour with CORS (deny access to response body). RawAllowedOrigins string `required:"true"` // AllowCredentials configures whether CORS requests are allowed to send "credentials": // // > Servers can also notify clients whether "credentials" // > (including Cookies and HTTP Authentication data) should be sent // > with requests // // (From https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) AllowCredentials bool `required:"true"` // CSRFRequiredHeader will reject requests that do *not* have // this header set. The value of the header is ignored. This is an // additional layer of CSRF protection: // // 1. Without this header, requests will be rejected. // // 2. If JS on browser tries to include this header, it will // trigger CORS policy validation by the browser. // // 3. Browser will make a CORS OPTIONS request, and if the origin // isn't in the list of allowed origins, the browser will abort // without making a real request. // // 4. If the origin *is* in the list of allowed origins, the // browser will proceed with the real request. // CSRFRequiredHeader string `required:"true" default:"X-Csrf"` }
CrossSiteConfig is configuration for cross-site request protection: - CSRF for writes - CORS for reads
type Middleware ¶
Middleware represents the form of HTTP middleware constructors.
func Compose ¶
func Compose(middlewares ...Middleware) Middleware
Compose provides a convenient way to chain the HTTP middleware functions.
In short, it transforms ¶
`Middleware3(Middleware2(Middleware1(HttpHandler)))`
to
`Compose(Middleware1, Middleware2, Middleware3)(HttpHandler)`
More details: https://github.com/theplant/hsm2-backend/pull/258#discussion_r70732260
func SecureMiddleware ¶
func SecureMiddleware(logger log.Logger, cs CrossSiteConfig) Middleware
SecureMiddleware is middleware to (currently) enforce CORS and CSRF protection on requests to this service. OWASP CSRF recommendation1 is:
> General Recommendations For Automated CSRF Defense > > We recommend two separate checks as your standard CSRF defense that does not require user intervention. [...] > > 1. Check standard headers to verify the request is same origin > 2. AND Check CSRF token