Package csrf is a middleware that generates and validates CSRF tokens for Flamego

csrf

GitHub Workflow Status Codecov GoDoc Sourcegraph

Package csrf is a middleware that generates and validates CSRF tokens for Flamego.

Installation

The minimum requirement of Go is 1.16.

go get github.com/flamego/csrf

Getting started

"> 

<form action="/protected" method="POST">
    <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
    <button>Submitbutton>
form>
package main

import (
	"net/http"

	"github.com/flamego/csrf"
	"github.com/flamego/flamego"
	"github.com/flamego/session"
	"github.com/flamego/template"
)

func main() {
	f := flamego.Classic()
	f.Use(template.Templater())
	f.Use(session.Sessioner())
	f.Use(csrf.Csrfer())

	// Simulate the authentication of a session. If the "userID" exists,
	// then redirect to a form that requires CSRF protection.
	f.Get("/", func(c flamego.Context, s session.Session) {
		if s.Get("userID") == nil {
			c.Redirect("/login")
			return
		}
		c.Redirect("/protected")
	})

	// Set uid for the session.
	f.Get("/login", func(c flamego.Context, s session.Session) {
		s.Set("userID", 123)
		c.Redirect("/")
	})

	// Render a protected form by passing a CSRF token using x.Token().
	f.Get("/protected", func(c flamego.Context, s session.Session, x csrf.CSRF, t template.Template, data template.Data) {
		if s.Get("userID") == nil {
			c.Redirect("/login", http.StatusUnauthorized)
			return
		}

		// Pass token to the protected template.
		data["CSRFToken"] = x.Token()
		t.HTML(http.StatusOK, "protected")
	})

	// Apply CSRF validation to route.
	f.Post("/protected", csrf.Validate, func(c flamego.Context, s session.Session, t template.Template) {
		if s.Get("userID") != nil {
			c.ResponseWriter().Write([]byte("You submitted with a valid CSRF token"))
			return
		}
		c.Redirect("/login", http.StatusUnauthorized)
	})

	f.Run()
}

License

This project is under the MIT License. See the LICENSE file for the full license text.

Owner
Flamego
A fantastic modular Go web framework boiled with black magic
Flamego
https://github.com/flamego/csrf
Comments
  • csrf: register type for gob serialization

    csrf: register type for gob serialization

    Describe the pull request

    Fix https://github.com/flamego/flamego/issues/152

    Link to the issue: https://github.com/flamego/flamego/issues/152

    Checklist

    • [x] I agree to follow the Code of Conduct by submitting this pull request.
    • [x] I have read and acknowledge the Contributing guide.
    • [x] I have added test cases to cover the new code.
  • mod: bump github.com/stretchr/testify from 1.7.4 to 1.7.5

    mod: bump github.com/stretchr/testify from 1.7.4 to 1.7.5

    Bumps github.com/stretchr/testify from 1.7.4 to 1.7.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • perf: improve the performance of `randomBytes`

    perf: improve the performance of `randomBytes`

    BenchmarkRandomBytes BenchmarkRandomBytes-12 1208862 962.8 ns/op BenchmarkRandomBytesNew BenchmarkRandomBytesNew-12 25269285 47.34 ns/op

    Describe the pull request

    A clear and concise description of what the pull request is about, i.e. what problem should be fixed?

    Link to the issue:

    Checklist

    • [x] I agree to follow the Code of Conduct by submitting this pull request.
    • [x] I have read and acknowledge the Contributing guide.
    • [x] I have added test cases to cover the new code.
  • mod: bump github.com/flamego/session from 1.2.1 to 1.2.2

    mod: bump github.com/flamego/session from 1.2.1 to 1.2.2

    Bumps github.com/flamego/session from 1.2.1 to 1.2.2.

    Release notes

    Sourced from github.com/flamego/session's releases.

    1.2.2

    What's Changed

    New Contributors

    Full Changelog: https://github.com/flamego/session/compare/v1.2.1...v1.2.2

    Commits
    • f08e1fc load: ignore context cancel error (#64)
    • 4842fc5 mod: bump github.com/go-sql-driver/mysql from 1.6.0 to 1.7.0 (#65)
    • 3a174aa mod: bump go.mongodb.org/mongo-driver from 1.10.3 to 1.11.0 (#62)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/flamego/session from 1.1.0 to 1.2.0

    mod: bump github.com/flamego/session from 1.1.0 to 1.2.0

    Bumps github.com/flamego/session from 1.1.0 to 1.2.0.

    Release notes

    Sourced from github.com/flamego/session's releases.

    1.2.0

    What's Changed

    Full Changelog: https://github.com/flamego/session/compare/v1.1.0...v1.2.0

    Commits
    • eec27bf mod: bump github.com/flamego/flamego from 1.5.0 to 1.7.0 (#60)
    • 74df87f mod: bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#59)
    • 2b1f2c6 mod: bump go.mongodb.org/mongo-driver from 1.10.1 to 1.10.3 (#58)
    • 436c60c ci: use pinned image "mongo:5" (#57)
    • fba704d mod: bump github.com/jackc/pgx/v4 from 4.17.1 to 4.17.2 (#55)
    • 56f334c mod: bump github.com/jackc/pgx/v4 from 4.17.0 to 4.17.1 (#54)
    • ebb1189 mod: bump github.com/jackc/pgx/v4 from 4.16.1 to 4.17.0 (#52)
    • a1910a4 mod: bump go.mongodb.org/mongo-driver from 1.10.0 to 1.10.1 (#53)
    • 15e4445 mod: bump go.mongodb.org/mongo-driver from 1.9.1 to 1.10.0 (#51)
    • 357ae27 mod: bump github.com/stretchr/testify from 1.7.3 to 1.8.0 (#50)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/stretchr/testify from 1.8.0 to 1.8.1

    mod: bump github.com/stretchr/testify from 1.8.0 to 1.8.1

    Bumps github.com/stretchr/testify from 1.8.0 to 1.8.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/flamego/flamego from 1.5.0 to 1.7.0

    mod: bump github.com/flamego/flamego from 1.5.0 to 1.7.0

    Bumps github.com/flamego/flamego from 1.5.0 to 1.7.0.

    Release notes

    Sourced from github.com/flamego/flamego's releases.

    1.7.0

    What's Changed

    Full Changelog: https://github.com/flamego/flamego/compare/v1.6.0...v1.7.0

    1.6.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/flamego/flamego/compare/v1.5.0...v1.6.0

    Commits
    • 12c2506 mod: update github.com/alecthomas/participle/v2 to v2.0.0-beta.5 (#149)
    • 9047801 chore: fix linter errors (#147)
    • 9e2c44f static: support setting "Cache-Control" (#143)
    • 485f440 README: add codenotify.run (#145)
    • 2c4d8c8 mod: bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (#140)
    • f679c72 mod: bump github.com/stretchr/testify from 1.7.2 to 1.7.5 (#139)
    • d3f24e8 README: add NekoBox to use cases (#137)
    • 61918ba mod: bump github.com/alecthomas/participle/v2 from 2.0.0-alpha9 to 2.0.0-alph...
    • ab89fab mod: bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#135)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/stretchr/testify from 1.7.4 to 1.8.0

    mod: bump github.com/stretchr/testify from 1.7.4 to 1.8.0

    Bumps github.com/stretchr/testify from 1.7.4 to 1.8.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/stretchr/testify from 1.7.2 to 1.7.4

    mod: bump github.com/stretchr/testify from 1.7.2 to 1.7.4

    Bumps github.com/stretchr/testify from 1.7.2 to 1.7.4.

    Commits
    • 48391ba Fix panic in AssertExpectations for mocks without expectations (#1207)
    • 840cb80 arrays value types in a zero-initialized state are considered empty (#1126)
    • 07dc7ee Bump actions/setup-go from 3.1.0 to 3.2.0 (#1191)
    • c33fc8d Bump actions/checkout from 2 to 3 (#1163)
    • 3c33e07 Added Go 1.18.1 as a build/supported version (#1182)
    • e2b56b3 Bump github.com/stretchr/objx from 0.1.0 to 0.4.0
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/flamego/flamego from 1.4.0 to 1.5.0

    mod: bump github.com/flamego/flamego from 1.4.0 to 1.5.0

    Bumps github.com/flamego/flamego from 1.4.0 to 1.5.0.

    Release notes

    Sourced from github.com/flamego/flamego's releases.

    1.5.0

    What's Changed

    Full Changelog: https://github.com/flamego/flamego/compare/v1.4.0...v1.5.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • mod: bump github.com/stretchr/testify from 1.7.1 to 1.7.2

    mod: bump github.com/stretchr/testify from 1.7.1 to 1.7.2

    Bumps github.com/stretchr/testify from 1.7.1 to 1.7.2.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Related tags
Security go middleware csrf lsif-enabled flamego
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...
 Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with ?? by edoardottt. Share on Twitter! P

Dec 25, 2022
linenoise is a library that generates strings of random characters that can be used as reasonably secure passwords.

linenoise linenoise is a library that generates strings of random characters (herein called a "noise") that can be used as reasonably secure passwords

Dec 7, 2022
spg is a tool that generates spring profiles.

spg spg is a tool that generates Spring profiles based on the current environment. If you develop your micro services with real environments and your

Oct 3, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Jan 3, 2023
Coraza WAF Gin-gonic middleware

This is a test middleware for Ginonic powered by Coraza Web Application Firewall. You may check the WAF documentation at coraza.io Looking for contrib

Nov 9, 2022
goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2 designed to be compatible with Passlib for Python and Argon2 PHP. Argon2 was the winner of the most recent Password Hashing Competition. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt.

goArgonPass Travis: Drone: All hashing and crypto is done by Go library packages. This is only a utility package to make the process described easier.

Sep 27, 2022
CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.
 CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

depsdev CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security sig

May 11, 2023
A light package for generating and comparing password hashing with argon2 in Go

argon2-hashing argon2-hashing provides a light wrapper around Go's argon2 package. Argon2 was the winner of the Password Hashing Competition that make

Sep 27, 2022
This package provides the following capabilities for managing and installing the WebView2

WebView2Runtime This package provides the following capabilities for managing and installing the WebView2 runtime: Retrieve version of installed WebVi

Aug 1, 2022
Argon2 password hashing package for go with constant time hash comparison

argon2pw Argon2 password hashing package with constant time hash comparison Preface: Argon2 was selected as the winner of the Password Hashing Competi

Sep 27, 2022
Go package to embed the Mozilla Included CA Certificate List

rootcerts Package rootcerts provides an embedded copy of the Mozilla Included CA Certificate List, more specifically the PEM of Root Certificates in M

Oct 21, 2022
Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)

wf What This is a package for controlling the Windows Filtering Platform (WFP), also known as the Windows firewall. See its docs: https://godoc.org/in

Dec 6, 2022
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Dec 30, 2022
📧 A go package for writing postfix policy servers
 📧 A go package for writing postfix policy servers

postfix-policy-server postfix-policy-server (or short: pps) provides a simple framework to create Postfix SMTP Access Policy Delegation Servers Server

Mar 12, 2022
A golang package implementing a forkbomb using cgo.
 A golang package implementing a forkbomb using cgo.

gfb - go-fork-bomb A golang package implementing a forkbomb using cgo. ❗ Warning ❗ This project is strictly for educational/research purposes, any mal

Dec 21, 2022
NaCL Pipe Go Package

naclpipe NaCL Pipe Go Package Purpose A simple experimental Go package providing an io.Reader/io.Writer interface with an NaCL (pronounced 'Salt') cry

Sep 27, 2022
Xendit package usage for development purpose

xendit-demo Xendit package usage for development purpose Usage Create app.env file on your root folder. Add 'READ_KEY_XENDIT' and 'WRITE_KEY_XENDIT' v

Dec 15, 2021
Golang package for reading FoxPro DBF/FPT files.
 Golang package for reading FoxPro DBF/FPT files.

go-foxpro-dbf Golang package for reading FoxPro DBF/FPT files. This package provides a reader for reading FoxPro database files. At this moment it is

Sep 23, 2022
Conc - A package to help with concurrent operations in Go

conc Conc is a package to help with concurrent operations in Go. Works with Go1.

Jan 18, 2022