Add an example for CSRF Protection

Former-commit-id: c38fd425b00210f730e274385cb2156b423f7fbc

_examples/README.md

@@ -309,6 +309,7 @@ You can serve [quicktemplate](https://github.com/valyala/quicktemplate) files to
 - [Profiling (pprof)](miscellaneous/pprof/main.go)
 - [Internal Application File Logger](miscellaneous/file-logger/main.go)
 - [Google reCAPTCHA](miscellaneous/recaptcha/main.go)
+- [Cross-Site Request Forgery Protection](miscellaneous/csrf/main.go) 
 
 ### Experimental Handlers
 

_examples/miscellaneous/csrf/main.go

@@ -0,0 +1,55 @@
+// This middleware provides Cross-Site Request Forgery
+// protection.
+//
+// It securely generates a masked (unique-per-request) token that
+// can be embedded in the HTTP response (e.g. form field or HTTP header).
+// The original (unmasked) token is stored in the session, which is inaccessible
+// by an attacker (provided you are using HTTPS). Subsequent requests are
+// expected to include this token, which is compared against the session token.
+// Requests that do not provide a matching token are served with a HTTP 403
+// 'Forbidden' error response.
+package main
+
+// $ go get -u github.com/iris-contrib/middleware/...
+
+import (
+	"github.com/kataras/iris"
+
+	"github.com/iris-contrib/middleware/csrf"
+)
+
+func main() {
+	app := iris.New()
+	app.RegisterView(iris.HTML("./views", ".html"))
+	// Note that the authentication key provided should be 32 bytes
+	// long and persist across application restarts.
+	protect := csrf.Protect([]byte("9AB0F421E53A477C084477AEA06096F5"),
+		csrf.Secure(false)) // Defaults to true, but pass `false` while no https (devmode).
+
+	users := app.Party("/user", protect)
+	{
+		users.Get("/signup", getSignupForm)
+		// // POST requests without a valid token will return a HTTP 403 Forbidden.
+		users.Post("/signup", postSignupForm)
+	}
+
+	// GET: http://localhost:8080/user/signup
+	// POST: http://localhost:8080/user/signup
+	app.Run(iris.Addr(":8080"))
+}
+
+func getSignupForm(ctx iris.Context) {
+	// views/signup.html just needs a {{ .csrfField }} template tag for
+	// csrf.TemplateField to inject the CSRF token into. Easy!
+	ctx.ViewData(csrf.TemplateTag, csrf.TemplateField(ctx))
+	ctx.View("views/user/signup.html")
+
+	// We could also retrieve the token directly from csrf.Token(r) and
+	// set it in the request header - ctx.GetHeader("X-CSRF-Token", token)
+	// This is useful if you're sending JSON to clients or a front-end JavaScript
+	// framework.
+}
+
+func postSignupForm(ctx iris.Context) {
+	ctx.Writef("You're welcome mate!")
+}

_examples/miscellaneous/csrf/views/user/signup.html

@@ -0,0 +1,4 @@
+<form method="POST" action="/user/signup">
+    {{ .csrfField }}
+<button type="submit">Procceed</button>
+</form>

middleware/README.md

@@ -26,7 +26,7 @@ Most of the experimental handlers are ported to work with _iris_'s handler form,
 | [prometheus](https://github.com/iris-contrib/middleware/tree/master/prometheus)| Easily create metrics endpoint for the [prometheus](http://prometheus.io) instrumentation tool | [iris-contrib/middleware/prometheus/_example](https://github.com/iris-contrib/middleware/tree/master/prometheus/_example) |
 | [casbin](https://github.com/iris-contrib/middleware/tree/master/casbin)| An authorization library that supports access control models like ACL, RBAC, ABAC | [iris-contrib/middleware/casbin/_examples](https://github.com/iris-contrib/middleware/tree/master/casbin/_examples) |
 | [raven](https://github.com/iris-contrib/middleware/tree/master/raven)| Sentry client in Go | [raven/_example](https://github.com/iris-contrib/middleware/blob/master/raven/_example/main.go) |
-
+| [csrf](https://github.com/iris-contrib/middleware/tree/master/csrf)| Cross-Site Request Forgery Protection | [csrf/_example](https://github.com/iris-contrib/middleware/blob/master/csrf/_example/main.go) (hard-tested for Iris) **NEW** |
 Third-Party Handlers
 ------------