Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1029)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: server/auth/xsrf/xsrf.go

Issue 2043423004: Make HTTP middleware easier to use (Closed) Base URL: https://github.com/luci/luci-go@master
Patch Set: gaemiddleware: add middleware func for WithProd Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « server/auth/signing/context_test.go ('k') | server/auth/xsrf/xsrf_test.go » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: server/auth/xsrf/xsrf.go
diff --git a/server/auth/xsrf/xsrf.go b/server/auth/xsrf/xsrf.go
index 7fa964a9668c2d975fef651c8a6eeddf880f6d8e..c5fd847f57ab7d496591a025f7d0135da228404d 100644
--- a/server/auth/xsrf/xsrf.go
+++ b/server/auth/xsrf/xsrf.go
@@ -9,28 +9,27 @@
// the token value into the form. Use TokenField(...) to generate it.
// 2. Wrap POST-handling route with WithTokenCheck(...) middleware.
package xsrf
import (
"fmt"
"html/template"
"net/http"
"time"
- "github.com/julienschmidt/httprouter"
"golang.org/x/net/context"
"github.com/luci/luci-go/common/errors"
"github.com/luci/luci-go/common/logging"
"github.com/luci/luci-go/server/auth"
- "github.com/luci/luci-go/server/middleware"
+ "github.com/luci/luci-go/server/router"
"github.com/luci/luci-go/server/tokens"
)
// xsrfToken described how to generate tokens.
var xsrfToken = tokens.TokenKind{
Algo: tokens.TokenAlgoHmacSHA256,
Expiration: 4 * time.Hour,
SecretKey: "xsrf_token",
Version: 1,
}
@@ -63,35 +62,33 @@ func TokenField(c context.Context) template.HTML {
panic(err)
}
return template.HTML(fmt.Sprintf(`<input type="hidden" name="xsrf_token" value="%s">`, tok))
}
// WithTokenCheck is middleware that checks validity of XSRF tokens.
//
// If searches for the token in "xsrf_token" POST form field (as generated by
// TokenField). Aborts the request with HTTP 403 if XSRF token is missing or
// invalid.
-func WithTokenCheck(h middleware.Handler) middleware.Handler {
- return func(c context.Context, rw http.ResponseWriter, r *http.Request, p httprouter.Params) {
- tok := r.PostFormValue("xsrf_token")
- if tok == "" {
- replyError(c, rw, http.StatusForbidden, "XSRF token is missing")
- return
- }
- switch err := Check(c, tok); {
- case errors.IsTransient(err):
- replyError(c, rw, http.StatusInternalServerError, "Transient error when checking XSRF token - %s", err)
- case err != nil:
- replyError(c, rw, http.StatusForbidden, "Bad XSRF token - %s", err)
- default:
- h(c, rw, r, p)
- }
+func WithTokenCheck(c *router.Context, next router.Handler) {
+ tok := c.Request.PostFormValue("xsrf_token")
+ if tok == "" {
+ replyError(c.Context, c.Writer, http.StatusForbidden, "XSRF token is missing")
+ return
+ }
+ switch err := Check(c.Context, tok); {
+ case errors.IsTransient(err):
+ replyError(c.Context, c.Writer, http.StatusInternalServerError, "Transient error when checking XSRF token - %s", err)
+ case err != nil:
+ replyError(c.Context, c.Writer, http.StatusForbidden, "Bad XSRF token - %s", err)
+ default:
+ next(c)
}
}
///
// state must return exact same value when generating and verifying token for
// the verification to succeed.
func state(c context.Context) []byte {
return []byte(auth.CurrentUser(c).Identity)
}
« no previous file with comments | « server/auth/signing/context_test.go ('k') | server/auth/xsrf/xsrf_test.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698