fiber/middleware/csrf/csrf.go

package csrf

import (
	"errors"
	"time"

	"github.com/gofiber/fiber/v2"
)

var (
	errTokenNotFound = errors.New("csrf token not found")
)

// New creates a new middleware handler
func New(config ...Config) fiber.Handler {
	// Set default config
	cfg := configDefault(config...)

	// Create manager to simplify storage operations ( see manager.go )
	manager := newManager(cfg.Storage)

	dummyValue := []byte{'+'}

	// Return new handler
	return func(c *fiber.Ctx) (err error) {
		// Don't execute middleware if Next returns true
		if cfg.Next != nil && cfg.Next(c) {
			return c.Next()
		}

		var token string

		// Action depends on the HTTP method
		switch c.Method() {
		case fiber.MethodGet, fiber.MethodHead, fiber.MethodOptions, fiber.MethodTrace:
			// Declare empty token and try to get existing CSRF from cookie
			token = c.Cookies(cfg.CookieName)
		default:
			// Assume that anything not defined as 'safe' by RFC7231 needs protection

			// Extract token from client request i.e. header, query, param, form or cookie
			token, err = cfg.extractor(c)
			if err != nil {
				return cfg.ErrorHandler(c, err)
			}

			// if token does not exist in Storage
			if manager.getRaw(token) == nil {
				// Expire cookie
				c.Cookie(&fiber.Cookie{
					Name:     cfg.CookieName,
					Domain:   cfg.CookieDomain,
					Path:     cfg.CookiePath,
					Expires:  time.Now().Add(-1 * time.Minute),
					Secure:   cfg.CookieSecure,
					HTTPOnly: cfg.CookieHTTPOnly,
					SameSite: cfg.CookieSameSite,
				})
				return cfg.ErrorHandler(c, errTokenNotFound)
			}
		}

		// Generate CSRF token if not exist
		if token == "" {
			// And generate a new token
			token = cfg.KeyGenerator()
		}

		// Add/update token to Storage
		manager.setRaw(token, dummyValue, cfg.Expiration)

		// Create cookie to pass token to client
		cookie := &fiber.Cookie{
			Name:     cfg.CookieName,
			Value:    token,
			Domain:   cfg.CookieDomain,
			Path:     cfg.CookiePath,
			Expires:  time.Now().Add(cfg.Expiration),
			Secure:   cfg.CookieSecure,
			HTTPOnly: cfg.CookieHTTPOnly,
			SameSite: cfg.CookieSameSite,
		}
		// Set cookie to response
		c.Cookie(cookie)

		// Protect clients from caching the response by telling the browser
		// a new header value is generated
		c.Vary(fiber.HeaderCookie)

		// Store token in context if set
		if cfg.ContextKey != "" {
			c.Locals(cfg.ContextKey, token)
		}

		// Continue stack
		return c.Next()
	}
}
⚡ v2 2020-09-13 11:20:11 +02:00			`package csrf`

			`import (`
🔧 fix(middleware/csrf): unmatched token returns nil error (#1667) * Update csrf.go * Update csrf_test.go * fix(middleware/csrf): missing token return and unit test * Update csrf_test.go 2021-12-28 21:13:20 -04:00			`"errors"`
⚡ v2 2020-09-13 11:20:11 +02:00			`"time"`

			`"github.com/gofiber/fiber/v2"`
			`)`

🔧 fix(middleware/csrf): unmatched token returns nil error (#1667) * Update csrf.go * Update csrf_test.go * fix(middleware/csrf): missing token return and unit test * Update csrf_test.go 2021-12-28 21:13:20 -04:00			`var (`
			`errTokenNotFound = errors.New("csrf token not found")`
			`)`

⚡ v2 2020-09-13 11:20:11 +02:00			`// New creates a new middleware handler`
			`func New(config ...Config) fiber.Handler {`
			`// Set default config`
Remove global variable 2021-03-09 09:29:47 -05:00			`cfg := configDefault(config...)`
⚡ v2 2020-09-13 11:20:11 +02:00
🩹 fix manager logic 2020-11-23 07:38:42 +01:00			`// Create manager to simplify storage operations ( see manager.go )`
			`manager := newManager(cfg.Storage)`
⚡ v2 2020-09-13 11:20:11 +02:00
🩹 fix manager logic 2020-11-23 07:38:42 +01:00			`dummyValue := []byte{'+'}`

⚡ v2 2020-09-13 11:20:11 +02:00			`// Return new handler`
🧽 clean code structure 2020-11-11 21:44:37 +01:00			`return func(c *fiber.Ctx) (err error) {`
⚡ v2 2020-09-13 11:20:11 +02:00			`// Don't execute middleware if Next returns true`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`if cfg.Next != nil && cfg.Next(c) {`
⚡ v2 2020-09-13 11:20:11 +02:00			`return c.Next()`
			`}`

🧽 clean code structure 2020-11-11 21:44:37 +01:00			`var token string`

🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`// Action depends on the HTTP method`
			`switch c.Method() {`
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements (#1180) * expire cookie on Post, Delete, Patch and Put Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid * token and cookie match * retrigger checks * csrf tests * csrf per session strategy 2021-03-01 12:44:17 -04:00			`case fiber.MethodGet, fiber.MethodHead, fiber.MethodOptions, fiber.MethodTrace:`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`// Declare empty token and try to get existing CSRF from cookie`
🩹 fix csrf test 2020-11-14 03:09:53 +01:00			`token = c.Cookies(cfg.CookieName)`
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements (#1180) * expire cookie on Post, Delete, Patch and Put Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid * token and cookie match * retrigger checks * csrf tests * csrf per session strategy 2021-03-01 12:44:17 -04:00			`default:`
			`// Assume that anything not defined as 'safe' by RFC7231 needs protection`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00
			`// Extract token from client request i.e. header, query, param, form or cookie`
CSRF MW Restructuring 2021-03-01 16:25:32 -05:00			`token, err = cfg.extractor(c)`
⚡ v2 2020-09-13 11:20:11 +02:00			`if err != nil {`
add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00			`return cfg.ErrorHandler(c, err)`
⚡ v2 2020-09-13 11:20:11 +02:00			`}`
🩹 fix manager logic 2020-11-23 07:38:42 +01:00
add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00			`// if token does not exist in Storage`
🩹 fix manager logic 2020-11-23 07:38:42 +01:00			`if manager.getRaw(token) == nil {`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`// Expire cookie`
			`c.Cookie(&fiber.Cookie{`
🩹 fix csrf test 2020-11-14 03:09:53 +01:00			`Name: cfg.CookieName,`
			`Domain: cfg.CookieDomain,`
			`Path: cfg.CookiePath,`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`Expires: time.Now().Add(-1 * time.Minute),`
🩹 fix csrf test 2020-11-14 03:09:53 +01:00			`Secure: cfg.CookieSecure,`
			`HTTPOnly: cfg.CookieHTTPOnly,`
			`SameSite: cfg.CookieSameSite,`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`})`
🔧 fix(middleware/csrf): unmatched token returns nil error (#1667) * Update csrf.go * Update csrf_test.go * fix(middleware/csrf): missing token return and unit test * Update csrf_test.go 2021-12-28 21:13:20 -04:00			`return cfg.ErrorHandler(c, errTokenNotFound)`
⚡ v2 2020-09-13 11:20:11 +02:00			`}`
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements (#1180) * expire cookie on Post, Delete, Patch and Put Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid * token and cookie match * retrigger checks * csrf tests * csrf per session strategy 2021-03-01 12:44:17 -04:00			`}`

			`// Generate CSRF token if not exist`
			`if token == "" {`
			`// And generate a new token`
			`token = cfg.KeyGenerator()`
			`}`
🩹 fix manager logic 2020-11-23 07:38:42 +01:00
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements (#1180) * expire cookie on Post, Delete, Patch and Put Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid * token and cookie match * retrigger checks * csrf tests * csrf per session strategy 2021-03-01 12:44:17 -04:00			`// Add/update token to Storage`
			`manager.setRaw(token, dummyValue, cfg.Expiration)`

			`// Create cookie to pass token to client`
			`cookie := &fiber.Cookie{`
			`Name: cfg.CookieName,`
			`Value: token,`
			`Domain: cfg.CookieDomain,`
			`Path: cfg.CookiePath,`
			`Expires: time.Now().Add(cfg.Expiration),`
			`Secure: cfg.CookieSecure,`
			`HTTPOnly: cfg.CookieHTTPOnly,`
			`SameSite: cfg.CookieSameSite,`
⚡ v2 2020-09-13 11:20:11 +02:00			`}`
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements (#1180) * expire cookie on Post, Delete, Patch and Put Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid * token and cookie match * retrigger checks * csrf tests * csrf per session strategy 2021-03-01 12:44:17 -04:00			`// Set cookie to response`
			`c.Cookie(cookie)`
⚡ v2 2020-09-13 11:20:11 +02:00
🧽 clean code structure 2020-11-11 21:44:37 +01:00			`// Protect clients from caching the response by telling the browser`
			`// a new header value is generated`
			`c.Vary(fiber.HeaderCookie)`

			`// Store token in context if set`
			`if cfg.ContextKey != "" {`
			`c.Locals(cfg.ContextKey, token)`
			`}`

⚡ v2 2020-09-13 11:20:11 +02:00			`// Continue stack`
			`return c.Next()`
			`}`
			`}`