0829f9a75d
All checks were successful
check / check (push) Successful in 4s
Replace custom CSRF middleware with gorilla/csrf and custom rate-limiting middleware with go-chi/httprate, as requested in code review. CSRF changes: - Replace session-based CSRF tokens with gorilla/csrf cookie-based double-submit pattern (HMAC-authenticated cookies) - Keep same form field name (csrf_token) for template compatibility - Keep same route exclusions (webhook/API routes) - In dev mode, mark requests as plaintext HTTP to skip Referer check Rate limiting changes: - Replace custom token-bucket rate limiter with httprate sliding-window counter (per-IP, 5 POST requests/min on login endpoint) - Remove custom IP extraction (httprate.KeyByRealIP handles X-Forwarded-For, X-Real-IP, True-Client-IP) - Remove custom cleanup goroutine (httprate manages its own state) Kept as-is: - SSRF prevention code (internal/delivery/ssrf.go) — application-specific - CSRFToken() wrapper function — handlers unchanged Updated README security section and architecture overview to reflect library choices.
23 lines
644 B
Go
23 lines
644 B
Go
package session
|
|
|
|
import (
|
|
"log/slog"
|
|
|
|
"github.com/gorilla/sessions"
|
|
"sneak.berlin/go/webhooker/internal/config"
|
|
)
|
|
|
|
// NewForTest creates a Session with a pre-configured cookie store for use
|
|
// in tests. This bypasses the fx lifecycle and database dependency, allowing
|
|
// middleware and handler tests to use real session functionality. The key
|
|
// parameter is the raw 32-byte authentication key used for session encryption
|
|
// and CSRF cookie signing.
|
|
func NewForTest(store *sessions.CookieStore, cfg *config.Config, log *slog.Logger, key []byte) *Session {
|
|
return &Session{
|
|
store: store,
|
|
key: key,
|
|
config: cfg,
|
|
log: log,
|
|
}
|
|
}
|