/
middleware.go
107 lines (89 loc) · 3.27 KB
/
middleware.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package main
import (
"context"
"errors"
"fmt"
"net/http"
"github.com/able8/snippetbox/pkg/models"
"github.com/justinas/nosurf"
)
func secureHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-XSS-Protection", "1; mode=block")
w.Header().Set("X-Frame-Options", "deny")
next.ServeHTTP(w, r)
})
}
func (app *application) logRequest(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
app.infoLog.Printf("%s - %s %s %s", r.RemoteAddr, r.Proto, r.Method, r.URL.RequestURI())
next.ServeHTTP(w, r)
})
}
func (app *application) recoverPanic(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Create a deffered function
// It will always be run in the event of a panic as Go unwinds the stack.
defer func() {
// Use the builtin recover function to check if there has been a panic or not.
if err := recover(); err != nil {
w.Header().Set("Connection", "close")
app.serverError(w, fmt.Errorf("%s", err))
}
}()
next.ServeHTTP(w, r)
})
}
func (app *application) requireAuthentication(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// If the user is not authenticated, redirect to the login page and
// return from the middleware chain so that no subsequent handlers in the chain are executed.
if !app.isAuthenticated(r) {
// Add the path that the user is trying to access to their session data.
app.session.Put(r, "redirectPathAfterLogin", r.URL.Path)
http.Redirect(w, r, "/user/login", http.StatusSeeOther)
return
}
// Otherwise set the header so that pages
// require authentication are not stored in the users browser cache.
w.Header().Add("Cache-Control", "no-store")
// And call the next handler in the chain.
next.ServeHTTP(w, r)
})
}
// Create a NoSurf middleware function which uses a customized CSRF cookie
// with the Secure, Path and HttpOnly flags set.
func noSurf(next http.Handler) http.Handler {
csrfHandler := nosurf.New(next)
csrfHandler.SetBaseCookie(http.Cookie{
HttpOnly: true,
Path: "/",
Secure: true,
})
return csrfHandler
}
func (app *application) authenticate(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Check if a authenticatedUserID value exists in the session.
exists := app.session.Exists(r, "authenticatedUserID")
if !exists {
next.ServeHTTP(w, r)
return
}
// Fecth the details of the current user from the database.
user, err := app.users.Get(app.session.GetInt(r, "authenticatedUserID"))
if errors.Is(err, models.ErrNoRecord) || !user.Active {
app.session.Remove(r, "authenticatedUserID")
next.ServeHTTP(w, r)
return
} else if err != nil {
app.serverError(w, err)
return
}
// Otherwise, the request is comming from a active and authenticated user.
// We create a copy of the request, with a true boolean value added to the request context to
// indecate this and call the next handler in the chain *using this new copy of the request.
ctx := context.WithValue(r.Context(), contextKeyIsAuthenticated, true)
next.ServeHTTP(w, r.WithContext(ctx))
})
}