sneak/webhooker
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c69efb5bca992cf3c5c3536df4d44c17b90331b
webhooker/internal/middleware/csrf.go
clawbot 5c69efb5bc
All checks were successful
check / check (push) Successful in 2m7s
Details
Replace custom secureCompare with crypto/subtle.ConstantTimeCompare 
Remove the hand-rolled secureCompare function and use the standard
library's crypto/subtle.ConstantTimeCompare for CSRF token validation.
Remove the corresponding unit test for the deleted function; CSRF token
comparison is still covered by the integration tests.
2026-03-10 02:39:24 -07:00

103 lines
3.1 KiB
Go
Raw Blame History

package middleware
import (
"context"
"crypto/rand"
"crypto/subtle"
"encoding/hex"
"net/http"
)
const (
// csrfTokenLength is the byte length of generated CSRF tokens.
// 32 bytes = 64 hex characters, providing 256 bits of entropy.
csrfTokenLength = 32
// csrfSessionKey is the session key where the CSRF token is stored.
csrfSessionKey = "csrf_token"
// csrfFormField is the HTML form field name for the CSRF token.
csrfFormField = "csrf_token"
)
// csrfContextKey is the context key type for CSRF tokens.
type csrfContextKey struct{}
// CSRFToken retrieves the CSRF token from the request context.
// Returns an empty string if no token is present.
func CSRFToken(r *http.Request) string {
if token, ok := r.Context().Value(csrfContextKey{}).(string); ok {
return token
}
return ""
}
// CSRF returns middleware that provides CSRF protection for state-changing
// requests. For every request, it ensures a CSRF token exists in the
// session and makes it available via the request context. For POST, PUT,
// PATCH, and DELETE requests, it validates the submitted csrf_token form
// field against the session token. Requests with an invalid or missing
// token receive a 403 Forbidden response.
func (m *Middleware) CSRF() func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
sess, err := m.session.Get(r)
if err != nil {
m.log.Error("csrf: failed to get session", "error", err)
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
// Ensure a CSRF token exists in the session
token, ok := sess.Values[csrfSessionKey].(string)
if !ok {
token = ""
}
if token == "" {
token, err = generateCSRFToken()
if err != nil {
m.log.Error("csrf: failed to generate token", "error", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
sess.Values[csrfSessionKey] = token
if saveErr := m.session.Save(r, w, sess); saveErr != nil {
m.log.Error("csrf: failed to save session", "error", saveErr)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
}
// Store token in context for templates
ctx := context.WithValue(r.Context(), csrfContextKey{}, token)
r = r.WithContext(ctx)
// Validate token on state-changing methods
switch r.Method {
case http.MethodPost, http.MethodPut, http.MethodPatch, http.MethodDelete:
submitted := r.FormValue(csrfFormField)
if subtle.ConstantTimeCompare([]byte(submitted), []byte(token)) != 1 {
m.log.Warn("csrf: token mismatch",
"method", r.Method,
"path", r.URL.Path,
"remote_addr", r.RemoteAddr,
)
http.Error(w, "Forbidden - invalid CSRF token", http.StatusForbidden)
return
}
}
next.ServeHTTP(w, r)
})
}
}
// generateCSRFToken creates a cryptographically random hex-encoded token.
func generateCSRFToken() (string, error) {
b := make([]byte, csrfTokenLength)
if _, err := rand.Read(b); err != nil {
return "", err
}
return hex.EncodeToString(b), nil
}
Reference in New Issue View Git Blame Copy Permalink