Package xsrf

luci: go.chromium.org/luci/server/auth/xsrf Index | Files

package xsrf

import "go.chromium.org/luci/server/auth/xsrf"

Package xsrf provides Cross Site Request Forgery prevention middleware.

Usage:

1. When serving GET request put hidden "xsrf_token" input field with
   the token value into the form. Use TokenField(...) to generate it.
2. Wrap POST-handling route with WithTokenCheck(...) middleware.

func Check(c context.Context, tok string) error

Check returns nil if XSRF token is valid.

func Token ¶ Uses

❖

func Token(c context.Context) (string, error)

Token generates new XSRF token bound to the current caller.

The token is URL safe base64 encoded string. It lives for 4 hours and may potentially be used multiple times (i.e. the token is stateless).

Put it in hidden form field under the name of "xsrf_token", e.g. <input type="hidden" name="xsrf_token" value="{{.XsrfToken}}">.

Later WithTokenCheck will grab it from there and verify its validity.

func TokenField ¶ Uses

❖

func TokenField(c context.Context) template.HTML

TokenField generates "<input type="hidden" ...>" field with the token.

It can be put into HTML forms directly. Panics on errors.

func WithTokenCheck ¶ Uses

❖

func WithTokenCheck(c *router.Context, next router.Handler)

WithTokenCheck is middleware that checks validity of XSRF tokens.

If searches for the token in "xsrf_token" POST form field (as generated by TokenField). Aborts the request with HTTP 403 if XSRF token is missing or invalid.

Package xsrf imports 11 packages (graph) and is imported by 9 packages. Updated 2019-12-05. Refresh now. Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
g then i	: Go to index
g then e	: Go to examples

package xsrf

Index ¶

Package Files ¶

func Check ¶ Uses

func Token ¶ Uses

func TokenField ¶ Uses

func WithTokenCheck ¶ Uses

Jump to identifier

Keyboard shortcuts