mirror of
https://github.com/gofiber/fiber.git
synced 2025-07-10 12:38:14 +00:00
* feat: improved csrf with session support * fix: double submit cookie * feat: add warning cookie extractor without session * feat: add warning CsrfFromCookie SameSite * fix: use byes.Equal instead * fix: Overriden CookieName KeyLookup cookie:<name> * feat: Create helpers.go * feat: use compareTokens (constant time compare) * feat: validate cookie to prevent token injection * refactor: clean up csrf.go * docs: update comment about Double Submit Cookie * docs: update docs for CSRF changes * feat: add DeleteToken * refactor: no else * test: add more tests * refactor: re-order tests * docs: update safe methods RCF add note * test: add CSRF_Cookie_Injection_Exploit * feat: add SingleUseToken config * test: check for new token * docs: use warning * fix: always register type Token * feat: use UUIDv4 * test: swap in UUIDv4 here too * fix: raw token injection * fix: merege error * feat: Sentinel errors * chore: rename test * fix: url parse * test: add path to referer * test: add expiration tests * docs: add cookie prefix note * docs: fix typo * docs: add warning for refer checks * test: add referer edge cases And call ctx.Request.Reset() and ctx.Response.Reset() before re-using ctx.
71 lines
1.9 KiB
Go
71 lines
1.9 KiB
Go
package csrf
|
|
|
|
import (
|
|
"errors"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
)
|
|
|
|
var (
|
|
ErrMissingHeader = errors.New("missing csrf token in header")
|
|
ErrMissingQuery = errors.New("missing csrf token in query")
|
|
ErrMissingParam = errors.New("missing csrf token in param")
|
|
ErrMissingForm = errors.New("missing csrf token in form")
|
|
ErrMissingCookie = errors.New("missing csrf token in cookie")
|
|
)
|
|
|
|
// csrfFromParam returns a function that extracts token from the url param string.
|
|
func CsrfFromParam(param string) func(c *fiber.Ctx) (string, error) {
|
|
return func(c *fiber.Ctx) (string, error) {
|
|
token := c.Params(param)
|
|
if token == "" {
|
|
return "", ErrMissingParam
|
|
}
|
|
return token, nil
|
|
}
|
|
}
|
|
|
|
// csrfFromForm returns a function that extracts a token from a multipart-form.
|
|
func CsrfFromForm(param string) func(c *fiber.Ctx) (string, error) {
|
|
return func(c *fiber.Ctx) (string, error) {
|
|
token := c.FormValue(param)
|
|
if token == "" {
|
|
return "", ErrMissingForm
|
|
}
|
|
return token, nil
|
|
}
|
|
}
|
|
|
|
// csrfFromCookie returns a function that extracts token from the cookie header.
|
|
func CsrfFromCookie(param string) func(c *fiber.Ctx) (string, error) {
|
|
return func(c *fiber.Ctx) (string, error) {
|
|
token := c.Cookies(param)
|
|
if token == "" {
|
|
return "", ErrMissingCookie
|
|
}
|
|
return token, nil
|
|
}
|
|
}
|
|
|
|
// csrfFromHeader returns a function that extracts token from the request header.
|
|
func CsrfFromHeader(param string) func(c *fiber.Ctx) (string, error) {
|
|
return func(c *fiber.Ctx) (string, error) {
|
|
token := c.Get(param)
|
|
if token == "" {
|
|
return "", ErrMissingHeader
|
|
}
|
|
return token, nil
|
|
}
|
|
}
|
|
|
|
// csrfFromQuery returns a function that extracts token from the query string.
|
|
func CsrfFromQuery(param string) func(c *fiber.Ctx) (string, error) {
|
|
return func(c *fiber.Ctx) (string, error) {
|
|
token := c.Query(param)
|
|
if token == "" {
|
|
return "", ErrMissingQuery
|
|
}
|
|
return token, nil
|
|
}
|
|
}
|