fiber/middleware/csrf/config.go

package csrf

import (
	"fmt"
	"net/textproto"
	"strings"
	"time"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/utils"
)

// Config defines the config for middleware.
type Config struct {
	// Next defines a function to skip this middleware when returned true.
	//
	// Optional. Default: nil
	Next func(c *fiber.Ctx) bool

	// KeyLookup is a string in the form of "<source>:<key>" that is used
	// to extract token from the request.
	// Possible values:
	// - "header:<name>"
	// - "query:<name>"
	// - "param:<name>"
	// - "form:<name>"
	// - "cookie:<name>"
	//
	// Optional. Default: "header:X-CSRF-Token"
	KeyLookup string

	// Name of the session cookie. This cookie will store session key.
	// Optional. Default value "csrf_".
	CookieName string

	// Domain of the CSRF cookie.
	// Optional. Default value "".
	CookieDomain string

	// Path of the CSRF cookie.
	// Optional. Default value "".
	CookiePath string

	// Indicates if CSRF cookie is secure.
	// Optional. Default value false.
	CookieSecure bool

	// Indicates if CSRF cookie is HTTP only.
	// Optional. Default value false.
	CookieHTTPOnly bool

	// Value of SameSite cookie.
	// Optional. Default value "Lax".
	CookieSameSite string

	// Decides whether cookie should last for only the browser sesison.
	// Ignores Expiration if set to true
	CookieSessionOnly bool

	// Expiration is the duration before csrf token will expire
	//
	// Optional. Default: 1 * time.Hour
	Expiration time.Duration

	// Store is used to store the state of the middleware
	//
	// Optional. Default: memory.New()
	Storage fiber.Storage

	// Context key to store generated CSRF token into context.
	// If left empty, token will not be stored in context.
	//
	// Optional. Default: ""
	ContextKey string

	// KeyGenerator creates a new CSRF token
	//
	// Optional. Default: utils.UUID
	KeyGenerator func() string

	// Deprecated, please use Expiration
	CookieExpires time.Duration

	// Deprecated, please use Cookie* related fields
	Cookie *fiber.Cookie

	// Deprecated, please use KeyLookup
	TokenLookup string

	// ErrorHandler is executed when an error is returned from fiber.Handler.
	//
	// Optional. Default: DefaultErrorHandler
	ErrorHandler fiber.ErrorHandler

	// extractor returns the csrf token from the request based on KeyLookup
	extractor func(c *fiber.Ctx) (string, error)
}

// ConfigDefault is the default config
var ConfigDefault = Config{
	KeyLookup:      "header:X-Csrf-Token",
	CookieName:     "csrf_",
	CookieSameSite: "Lax",
	Expiration:     1 * time.Hour,
	KeyGenerator:   utils.UUID,
	ErrorHandler:   defaultErrorHandler,
	extractor:      csrfFromHeader("X-Csrf-Token"),
}

// default ErrorHandler that process return error from fiber.Handler
var defaultErrorHandler = func(c *fiber.Ctx, err error) error {
	return fiber.ErrForbidden
}

// Helper function to set default values
func configDefault(config ...Config) Config {
	// Return default config if nothing provided
	if len(config) < 1 {
		return ConfigDefault
	}

	// Override default config
	cfg := config[0]

	// Set default values
	if cfg.TokenLookup != "" {
		fmt.Println("[CSRF] TokenLookup is deprecated, please use KeyLookup")
		cfg.KeyLookup = cfg.TokenLookup
	}
	if int(cfg.CookieExpires.Seconds()) > 0 {
		fmt.Println("[CSRF] CookieExpires is deprecated, please use Expiration")
		cfg.Expiration = cfg.CookieExpires
	}
	if cfg.Cookie != nil {
		fmt.Println("[CSRF] Cookie is deprecated, please use Cookie* related fields")
		if cfg.Cookie.Name != "" {
			cfg.CookieName = cfg.Cookie.Name
		}
		if cfg.Cookie.Domain != "" {
			cfg.CookieDomain = cfg.Cookie.Domain
		}
		if cfg.Cookie.Path != "" {
			cfg.CookiePath = cfg.Cookie.Path
		}
		cfg.CookieSecure = cfg.Cookie.Secure
		cfg.CookieHTTPOnly = cfg.Cookie.HTTPOnly
		if cfg.Cookie.SameSite != "" {
			cfg.CookieSameSite = cfg.Cookie.SameSite
		}
	}
	if cfg.KeyLookup == "" {
		cfg.KeyLookup = ConfigDefault.KeyLookup
	}
	if int(cfg.Expiration.Seconds()) <= 0 {
		cfg.Expiration = ConfigDefault.Expiration
	}
	if cfg.CookieName == "" {
		cfg.CookieName = ConfigDefault.CookieName
	}
	if cfg.CookieSameSite == "" {
		cfg.CookieSameSite = ConfigDefault.CookieSameSite
	}
	if cfg.KeyGenerator == nil {
		cfg.KeyGenerator = ConfigDefault.KeyGenerator
	}
	if cfg.ErrorHandler == nil {
		cfg.ErrorHandler = ConfigDefault.ErrorHandler
	}

	// Generate the correct extractor to get the token from the correct location
	selectors := strings.Split(cfg.KeyLookup, ":")

	if len(selectors) != 2 {
		panic("[CSRF] KeyLookup must in the form of <source>:<key>")
	}

	// By default we extract from a header
	cfg.extractor = csrfFromHeader(textproto.CanonicalMIMEHeaderKey(selectors[1]))

	switch selectors[0] {
	case "form":
		cfg.extractor = csrfFromForm(selectors[1])
	case "query":
		cfg.extractor = csrfFromQuery(selectors[1])
	case "param":
		cfg.extractor = csrfFromParam(selectors[1])
	case "cookie":
		cfg.extractor = csrfFromCookie(selectors[1])
	}

	return cfg
}
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`package csrf`

			`import (`
			`"fmt"`
CSRF MW Restructuring 2021-03-01 16:25:32 -05:00			`"net/textproto"`
			`"strings"`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`"time"`

			`"github.com/gofiber/fiber/v2"`
			`"github.com/gofiber/fiber/v2/utils"`
			`)`

			`// Config defines the config for middleware.`
			`type Config struct {`
			`// Next defines a function to skip this middleware when returned true.`
			`//`
			`// Optional. Default: nil`
			`Next func(c *fiber.Ctx) bool`

🕊 rename token to key 2020-11-11 18:19:53 +01:00			`// KeyLookup is a string in the form of "<source>:<key>" that is used`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`// to extract token from the request.`
			`// Possible values:`
			`// - "header:<name>"`
			`// - "query:<name>"`
			`// - "param:<name>"`
			`// - "form:<name>"`
			`// - "cookie:<name>"`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`//`
			`// Optional. Default: "header:X-CSRF-Token"`
			`KeyLookup string`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`// Name of the session cookie. This cookie will store session key.`
fixed cookie error in csrf.go 2020-12-10 10:45:21 +05:30			`// Optional. Default value "csrf_".`
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`CookieName string`

			`// Domain of the CSRF cookie.`
			`// Optional. Default value "".`
			`CookieDomain string`

			`// Path of the CSRF cookie.`
			`// Optional. Default value "".`
			`CookiePath string`

			`// Indicates if CSRF cookie is secure.`
			`// Optional. Default value false.`
			`CookieSecure bool`

			`// Indicates if CSRF cookie is HTTP only.`
			`// Optional. Default value false.`
			`CookieHTTPOnly bool`

Fix comment in middleware/csrf/config.go 2021-03-20 12:58:08 +08:00			`// Value of SameSite cookie.`
CookieSameSite default "Lax" (#1640) 2021-12-02 02:41:44 -04:00			`// Optional. Default value "Lax".`
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`CookieSameSite string`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00
Feature: Session Only Cookies (#1752) * feat(ctx): add SessionOnly property on Cookie struct * feat(middleware/config): add CookieSessionOnly property on middleware Config struct * feat(csrf): link config CookieSessionOnly with fiber.Cookie in create middleware function * fix(ctx_test): add tests for SessionOnly cookie in test_ctx_cookie * fix(readme): update readme in csrf middleware for CookieSessionOnly property * remove deprecated property from CookieSessionOnly explaination comments 2022-02-07 18:05:00 +05:30			`// Decides whether cookie should last for only the browser sesison.`
			`// Ignores Expiration if set to true`
			`CookieSessionOnly bool`

🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`// Expiration is the duration before csrf token will expire`
			`//`
			`// Optional. Default: 1 * time.Hour`
			`Expiration time.Duration`

			`// Store is used to store the state of the middleware`
			`//`
✏ update readme 2020-11-11 15:57:38 +01:00			`// Optional. Default: memory.New()`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`Storage fiber.Storage`

			`// Context key to store generated CSRF token into context.`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`// If left empty, token will not be stored in context.`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`//`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`// Optional. Default: ""`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`ContextKey string`

🕊 rename token to key 2020-11-11 18:19:53 +01:00			`// KeyGenerator creates a new CSRF token`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`//`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`// Optional. Default: utils.UUID`
✏ fix typo 2020-11-11 16:41:26 +01:00			`KeyGenerator func() string`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00
			`// Deprecated, please use Expiration`
			`CookieExpires time.Duration`
🕊 rename token to key 2020-11-11 18:19:53 +01:00
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`// Deprecated, please use Cookie* related fields`
			`Cookie *fiber.Cookie`

🕊 rename token to key 2020-11-11 18:19:53 +01:00			`// Deprecated, please use KeyLookup`
			`TokenLookup string`
add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00
			`// ErrorHandler is executed when an error is returned from fiber.Handler.`
			`//`
			`// Optional. Default: DefaultErrorHandler`
			`ErrorHandler fiber.ErrorHandler`
CSRF MW Restructuring 2021-03-01 16:25:32 -05:00
			`// extractor returns the csrf token from the request based on KeyLookup`
			`extractor func(c *fiber.Ctx) (string, error)`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`}`

			`// ConfigDefault is the default config`
			`var ConfigDefault = Config{`
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`KeyLookup: "header:X-Csrf-Token",`
			`CookieName: "csrf_",`
CookieSameSite default "Lax" (#1640) 2021-12-02 02:41:44 -04:00			`CookieSameSite: "Lax",`
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`Expiration: 1 * time.Hour,`
			`KeyGenerator: utils.UUID,`
make default handler to private. fix testcase for invalid token and empty token. 2021-01-23 12:39:27 +09:00			`ErrorHandler: defaultErrorHandler,`
CSRF MW Restructuring 2021-03-01 16:25:32 -05:00			`extractor: csrfFromHeader("X-Csrf-Token"),`
add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00			`}`

make default handler to private. fix testcase for invalid token and empty token. 2021-01-23 12:39:27 +09:00			`// default ErrorHandler that process return error from fiber.Handler`
			`var defaultErrorHandler = func(c *fiber.Ctx, err error) error {`
add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00			`return fiber.ErrForbidden`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`}`

			`// Helper function to set default values`
			`func configDefault(config ...Config) Config {`
			`// Return default config if nothing provided`
			`if len(config) < 1 {`
			`return ConfigDefault`
			`}`

			`// Override default config`
			`cfg := config[0]`

			`// Set default values`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`if cfg.TokenLookup != "" {`
			`fmt.Println("[CSRF] TokenLookup is deprecated, please use KeyLookup")`
🩹 fix tests 2020-11-11 18:34:46 +01:00			`cfg.KeyLookup = cfg.TokenLookup`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`}`
🩹 fix csrf test 2020-11-14 03:09:53 +01:00			`if int(cfg.CookieExpires.Seconds()) > 0 {`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`fmt.Println("[CSRF] CookieExpires is deprecated, please use Expiration")`
🩹 fix tests 2020-11-11 18:34:46 +01:00			`cfg.Expiration = cfg.CookieExpires`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`}`
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`if cfg.Cookie != nil {`
			`fmt.Println("[CSRF] Cookie is deprecated, please use Cookie* related fields")`
			`if cfg.Cookie.Name != "" {`
			`cfg.CookieName = cfg.Cookie.Name`
			`}`
			`if cfg.Cookie.Domain != "" {`
			`cfg.CookieDomain = cfg.Cookie.Domain`
			`}`
			`if cfg.Cookie.Path != "" {`
			`cfg.CookiePath = cfg.Cookie.Path`
			`}`
			`cfg.CookieSecure = cfg.Cookie.Secure`
			`cfg.CookieHTTPOnly = cfg.Cookie.HTTPOnly`
			`if cfg.Cookie.SameSite != "" {`
			`cfg.CookieSameSite = cfg.Cookie.SameSite`
			`}`
			`}`
🕊 rename token to key 2020-11-11 18:19:53 +01:00			`if cfg.KeyLookup == "" {`
			`cfg.KeyLookup = ConfigDefault.KeyLookup`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`}`
🩹 Fix expiration check 2020-11-13 18:34:01 +01:00			`if int(cfg.Expiration.Seconds()) <= 0 {`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`cfg.Expiration = ConfigDefault.Expiration`
			`}`
✨ update cookie config fields 2020-11-14 00:45:55 +01:00			`if cfg.CookieName == "" {`
			`cfg.CookieName = ConfigDefault.CookieName`
			`}`
			`if cfg.CookieSameSite == "" {`
			`cfg.CookieSameSite = ConfigDefault.CookieSameSite`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`}`
✏ fix typo 2020-11-11 16:41:26 +01:00			`if cfg.KeyGenerator == nil {`
			`cfg.KeyGenerator = ConfigDefault.KeyGenerator`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`}`
add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00			`if cfg.ErrorHandler == nil {`
			`cfg.ErrorHandler = ConfigDefault.ErrorHandler`
			`}`
🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00
CSRF MW Restructuring 2021-03-01 16:25:32 -05:00			`// Generate the correct extractor to get the token from the correct location`
			`selectors := strings.Split(cfg.KeyLookup, ":")`

			`if len(selectors) != 2 {`
			`panic("[CSRF] KeyLookup must in the form of <source>:<key>")`
			`}`

			`// By default we extract from a header`
			`cfg.extractor = csrfFromHeader(textproto.CanonicalMIMEHeaderKey(selectors[1]))`

			`switch selectors[0] {`
			`case "form":`
			`cfg.extractor = csrfFromForm(selectors[1])`
			`case "query":`
			`cfg.extractor = csrfFromQuery(selectors[1])`
			`case "param":`
			`cfg.extractor = csrfFromParam(selectors[1])`
			`case "cookie":`
			`cfg.extractor = csrfFromCookie(selectors[1])`
			`}`

🩹 fix crsf middleware 2020-11-11 15:25:35 +01:00			`return cfg`
			`}`