diff --git a/_examples/README.md b/_examples/README.md old mode 100644 new mode 100755 index 77b764b1..26027ad5 --- a/_examples/README.md +++ b/_examples/README.md @@ -309,6 +309,7 @@ You can serve [quicktemplate](https://github.com/valyala/quicktemplate) files to - [Profiling (pprof)](miscellaneous/pprof/main.go) - [Internal Application File Logger](miscellaneous/file-logger/main.go) - [Google reCAPTCHA](miscellaneous/recaptcha/main.go) +- [Cross-Site Request Forgery Protection](miscellaneous/csrf/main.go) ### Experimental Handlers diff --git a/_examples/miscellaneous/csrf/main.go b/_examples/miscellaneous/csrf/main.go new file mode 100644 index 00000000..3e2f27de --- /dev/null +++ b/_examples/miscellaneous/csrf/main.go @@ -0,0 +1,55 @@ +// This middleware provides Cross-Site Request Forgery +// protection. +// +// It securely generates a masked (unique-per-request) token that +// can be embedded in the HTTP response (e.g. form field or HTTP header). +// The original (unmasked) token is stored in the session, which is inaccessible +// by an attacker (provided you are using HTTPS). Subsequent requests are +// expected to include this token, which is compared against the session token. +// Requests that do not provide a matching token are served with a HTTP 403 +// 'Forbidden' error response. +package main + +// $ go get -u github.com/iris-contrib/middleware/... + +import ( + "github.com/kataras/iris" + + "github.com/iris-contrib/middleware/csrf" +) + +func main() { + app := iris.New() + app.RegisterView(iris.HTML("./views", ".html")) + // Note that the authentication key provided should be 32 bytes + // long and persist across application restarts. + protect := csrf.Protect([]byte("9AB0F421E53A477C084477AEA06096F5"), + csrf.Secure(false)) // Defaults to true, but pass `false` while no https (devmode). + + users := app.Party("/user", protect) + { + users.Get("/signup", getSignupForm) + // // POST requests without a valid token will return a HTTP 403 Forbidden. + users.Post("/signup", postSignupForm) + } + + // GET: http://localhost:8080/user/signup + // POST: http://localhost:8080/user/signup + app.Run(iris.Addr(":8080")) +} + +func getSignupForm(ctx iris.Context) { + // views/signup.html just needs a {{ .csrfField }} template tag for + // csrf.TemplateField to inject the CSRF token into. Easy! + ctx.ViewData(csrf.TemplateTag, csrf.TemplateField(ctx)) + ctx.View("views/user/signup.html") + + // We could also retrieve the token directly from csrf.Token(r) and + // set it in the request header - ctx.GetHeader("X-CSRF-Token", token) + // This is useful if you're sending JSON to clients or a front-end JavaScript + // framework. +} + +func postSignupForm(ctx iris.Context) { + ctx.Writef("You're welcome mate!") +} diff --git a/_examples/miscellaneous/csrf/views/user/signup.html b/_examples/miscellaneous/csrf/views/user/signup.html new file mode 100644 index 00000000..59a1fb61 --- /dev/null +++ b/_examples/miscellaneous/csrf/views/user/signup.html @@ -0,0 +1,4 @@ +
\ No newline at end of file diff --git a/middleware/README.md b/middleware/README.md old mode 100644 new mode 100755 index ee5cb08c..9e09ecc2 --- a/middleware/README.md +++ b/middleware/README.md @@ -26,7 +26,7 @@ Most of the experimental handlers are ported to work with _iris_'s handler form, | [prometheus](https://github.com/iris-contrib/middleware/tree/master/prometheus)| Easily create metrics endpoint for the [prometheus](http://prometheus.io) instrumentation tool | [iris-contrib/middleware/prometheus/_example](https://github.com/iris-contrib/middleware/tree/master/prometheus/_example) | | [casbin](https://github.com/iris-contrib/middleware/tree/master/casbin)| An authorization library that supports access control models like ACL, RBAC, ABAC | [iris-contrib/middleware/casbin/_examples](https://github.com/iris-contrib/middleware/tree/master/casbin/_examples) | | [raven](https://github.com/iris-contrib/middleware/tree/master/raven)| Sentry client in Go | [raven/_example](https://github.com/iris-contrib/middleware/blob/master/raven/_example/main.go) | - +| [csrf](https://github.com/iris-contrib/middleware/tree/master/csrf)| Cross-Site Request Forgery Protection | [csrf/_example](https://github.com/iris-contrib/middleware/blob/master/csrf/_example/main.go) (hard-tested for Iris) **NEW** | Third-Party Handlers ------------