mirror of
https://github.com/kataras/iris.git
synced 2025-01-23 10:41:03 +01:00
Add an example for CSRF Protection
Former-commit-id: c38fd425b00210f730e274385cb2156b423f7fbc
This commit is contained in:
parent
e67346b459
commit
3b572eb23b
1
_examples/README.md
Normal file → Executable file
1
_examples/README.md
Normal file → Executable file
|
@ -309,6 +309,7 @@ You can serve [quicktemplate](https://github.com/valyala/quicktemplate) files to
|
||||||
- [Profiling (pprof)](miscellaneous/pprof/main.go)
|
- [Profiling (pprof)](miscellaneous/pprof/main.go)
|
||||||
- [Internal Application File Logger](miscellaneous/file-logger/main.go)
|
- [Internal Application File Logger](miscellaneous/file-logger/main.go)
|
||||||
- [Google reCAPTCHA](miscellaneous/recaptcha/main.go)
|
- [Google reCAPTCHA](miscellaneous/recaptcha/main.go)
|
||||||
|
- [Cross-Site Request Forgery Protection](miscellaneous/csrf/main.go)
|
||||||
|
|
||||||
### Experimental Handlers
|
### Experimental Handlers
|
||||||
|
|
||||||
|
|
55
_examples/miscellaneous/csrf/main.go
Normal file
55
_examples/miscellaneous/csrf/main.go
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
// This middleware provides Cross-Site Request Forgery
|
||||||
|
// protection.
|
||||||
|
//
|
||||||
|
// It securely generates a masked (unique-per-request) token that
|
||||||
|
// can be embedded in the HTTP response (e.g. form field or HTTP header).
|
||||||
|
// The original (unmasked) token is stored in the session, which is inaccessible
|
||||||
|
// by an attacker (provided you are using HTTPS). Subsequent requests are
|
||||||
|
// expected to include this token, which is compared against the session token.
|
||||||
|
// Requests that do not provide a matching token are served with a HTTP 403
|
||||||
|
// 'Forbidden' error response.
|
||||||
|
package main
|
||||||
|
|
||||||
|
// $ go get -u github.com/iris-contrib/middleware/...
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/kataras/iris"
|
||||||
|
|
||||||
|
"github.com/iris-contrib/middleware/csrf"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
app := iris.New()
|
||||||
|
app.RegisterView(iris.HTML("./views", ".html"))
|
||||||
|
// Note that the authentication key provided should be 32 bytes
|
||||||
|
// long and persist across application restarts.
|
||||||
|
protect := csrf.Protect([]byte("9AB0F421E53A477C084477AEA06096F5"),
|
||||||
|
csrf.Secure(false)) // Defaults to true, but pass `false` while no https (devmode).
|
||||||
|
|
||||||
|
users := app.Party("/user", protect)
|
||||||
|
{
|
||||||
|
users.Get("/signup", getSignupForm)
|
||||||
|
// // POST requests without a valid token will return a HTTP 403 Forbidden.
|
||||||
|
users.Post("/signup", postSignupForm)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GET: http://localhost:8080/user/signup
|
||||||
|
// POST: http://localhost:8080/user/signup
|
||||||
|
app.Run(iris.Addr(":8080"))
|
||||||
|
}
|
||||||
|
|
||||||
|
func getSignupForm(ctx iris.Context) {
|
||||||
|
// views/signup.html just needs a {{ .csrfField }} template tag for
|
||||||
|
// csrf.TemplateField to inject the CSRF token into. Easy!
|
||||||
|
ctx.ViewData(csrf.TemplateTag, csrf.TemplateField(ctx))
|
||||||
|
ctx.View("views/user/signup.html")
|
||||||
|
|
||||||
|
// We could also retrieve the token directly from csrf.Token(r) and
|
||||||
|
// set it in the request header - ctx.GetHeader("X-CSRF-Token", token)
|
||||||
|
// This is useful if you're sending JSON to clients or a front-end JavaScript
|
||||||
|
// framework.
|
||||||
|
}
|
||||||
|
|
||||||
|
func postSignupForm(ctx iris.Context) {
|
||||||
|
ctx.Writef("You're welcome mate!")
|
||||||
|
}
|
4
_examples/miscellaneous/csrf/views/user/signup.html
Normal file
4
_examples/miscellaneous/csrf/views/user/signup.html
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
<form method="POST" action="/user/signup">
|
||||||
|
{{ .csrfField }}
|
||||||
|
<button type="submit">Procceed</button>
|
||||||
|
</form>
|
2
middleware/README.md
Normal file → Executable file
2
middleware/README.md
Normal file → Executable file
|
@ -26,7 +26,7 @@ Most of the experimental handlers are ported to work with _iris_'s handler form,
|
||||||
| [prometheus](https://github.com/iris-contrib/middleware/tree/master/prometheus)| Easily create metrics endpoint for the [prometheus](http://prometheus.io) instrumentation tool | [iris-contrib/middleware/prometheus/_example](https://github.com/iris-contrib/middleware/tree/master/prometheus/_example) |
|
| [prometheus](https://github.com/iris-contrib/middleware/tree/master/prometheus)| Easily create metrics endpoint for the [prometheus](http://prometheus.io) instrumentation tool | [iris-contrib/middleware/prometheus/_example](https://github.com/iris-contrib/middleware/tree/master/prometheus/_example) |
|
||||||
| [casbin](https://github.com/iris-contrib/middleware/tree/master/casbin)| An authorization library that supports access control models like ACL, RBAC, ABAC | [iris-contrib/middleware/casbin/_examples](https://github.com/iris-contrib/middleware/tree/master/casbin/_examples) |
|
| [casbin](https://github.com/iris-contrib/middleware/tree/master/casbin)| An authorization library that supports access control models like ACL, RBAC, ABAC | [iris-contrib/middleware/casbin/_examples](https://github.com/iris-contrib/middleware/tree/master/casbin/_examples) |
|
||||||
| [raven](https://github.com/iris-contrib/middleware/tree/master/raven)| Sentry client in Go | [raven/_example](https://github.com/iris-contrib/middleware/blob/master/raven/_example/main.go) |
|
| [raven](https://github.com/iris-contrib/middleware/tree/master/raven)| Sentry client in Go | [raven/_example](https://github.com/iris-contrib/middleware/blob/master/raven/_example/main.go) |
|
||||||
|
| [csrf](https://github.com/iris-contrib/middleware/tree/master/csrf)| Cross-Site Request Forgery Protection | [csrf/_example](https://github.com/iris-contrib/middleware/blob/master/csrf/_example/main.go) (hard-tested for Iris) **NEW** |
|
||||||
Third-Party Handlers
|
Third-Party Handlers
|
||||||
------------
|
------------
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user