Merge branch 'master' of https://github.com/cbonello/revel-csrf

Conflicts:
	csrf.go

Author: cbonello

README.md

@@ -23,7 +23,7 @@ An integer value that defines the number of characters that should be found with
 
 ## Operating instructions
 
-Simply call the CSRFFilter() filter in `app/init.go` right after `revel.SessionFilter`. The CSRF token is saved in the session cookie.  
+Simply call the CSRFFilter() filter in `app/init.go`.  
 
     package app
 
@@ -40,8 +40,8 @@ Simply call the CSRFFilter() filter in `app/init.go` right after `revel.SessionF
 		    revel.FilterConfiguringFilter, // A hook for adding or removing per-Action filters.
 		    revel.ParamsFilter,            // Parse parameters into Controller.Params.
 		    revel.SessionFilter,           // Restore and write the session cookie.
-		     csrf.CSRFFilter,              // CSRF prevention.
 		    revel.FlashFilter,             // Restore and write the flash cookie.
+		     csrf.CSRFFilter,              // CSRF prevention.
 		    revel.ValidationFilter,        // Restore kept validation errors and save new ones from cookie.
 		    revel.I18nFilter,              // Resolve the requested language
 		    revel.InterceptorFilter,       // Run interceptors around the action.
@@ -101,4 +101,4 @@ A demo application is provided in the samples directory. To launch it:
 
 ## CONTRIBUTORS
 * Otto Bretz
-* Allen Dang
+* Allen Dang

csrf.go

@@ -21,7 +21,7 @@ var (
 	errNoReferer  = "REVEL_CSRF: A secure request contained no Referer or its value was malformed."
 	errBadReferer = "REVEL_CSRF: Same-origin policy failure."
 	errBadToken   = "REVEL_CSRF: tokens mismatch."
-	safeMethods = regexp.MustCompile("^(GET|HEAD|OPTIONS|TRACE)$")
+	safeMethods   = regexp.MustCompile("^(GET|HEAD|OPTIONS|TRACE)$")
 )
 
 var CSRFFilter = func(c *revel.Controller, fc []revel.Filter) {
@@ -70,15 +70,15 @@ var CSRFFilter = func(c *revel.Controller, fc []revel.Filter) {
 
 		sentToken := ""
 		if ajaxSupport := revel.Config.BoolDefault("csrf.ajax", false); ajaxSupport {
-		  // Accept CSRF token in the custom HTTP header X-CSRF-Token, for ease
-		  // of use with popular JavaScript toolkits which allow insertion of
-		  // custom headers into all AJAX requests.
-		  // See http://erlend.oftedal.no/blog/?blogid=118
-		  sentToken = r.Header.Get(headerName)
+			// Accept CSRF token in the custom HTTP header X-CSRF-Token, for ease
+			// of use with popular JavaScript toolkits which allow insertion of
+			// custom headers into all AJAX requests.
+			// See http://erlend.oftedal.no/blog/?blogid=118
+			sentToken = r.Header.Get(headerName)
 		}
 		if sentToken == "" {
 			// Get CSRF token from form.
-		  sentToken = c.Params.Get(fieldName)
+			sentToken = c.Params.Get(fieldName)
 		}
 		glog.V(2).Infof("REVEL-CSRF: Token received from client: '%s'", sentToken)
 
@@ -101,4 +101,3 @@ var CSRFFilter = func(c *revel.Controller, fc []revel.Filter) {
 func sameOrigin(u1, u2 *url.URL) bool {
 	return (u1.Scheme == u2.Scheme && u1.Host == u2.Host)
 }
-

exemptions.go

@@ -2,8 +2,8 @@
 package csrf
 
 import (
-	"github.com/golang/glog"
 	"fmt"
+	"github.com/golang/glog"
 	pathPackage "path"
 	"sync"
 )
@@ -19,9 +19,9 @@ var (
 	exemptionsFullPath = struct {
 		sync.RWMutex
 		list map[string]struct{}
-	} {
-			list: make(map[string]struct{}),
-		}
+	}{
+		list: make(map[string]struct{}),
+	}
 
 	exemptionsGlobs globPath
 )

samples/demo/app/init.go

@@ -13,8 +13,8 @@ func init() {
 		revel.FilterConfiguringFilter, // A hook for adding or removing per-Action filters.
 		revel.ParamsFilter,            // Parse parameters into Controller.Params.
 		revel.SessionFilter,           // Restore and write the session cookie.
-		 csrf.CSRFFilter,              // CSRF prevention.
 		revel.FlashFilter,             // Restore and write the flash cookie.
+		 csrf.CSRFFilter,              // CSRF prevention.
 		revel.ValidationFilter,        // Restore kept validation errors and save new ones from cookie.
 		revel.I18nFilter,              // Resolve the requested language
 		revel.InterceptorFilter,       // Run interceptors around the action.

tokengen.go

@@ -2,11 +2,11 @@
 package csrf
 
 import (
-	"github.com/golang/glog"
-	"github.com/robfig/revel"
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
+	"github.com/golang/glog"
+	"github.com/robfig/revel"
 	"io"
 )
 
@@ -15,7 +15,7 @@ var rawTokenLength, lengthCSRFToken int
 func getRandomBytes(length int) (bytes []byte, err error) {
 	bytes = make([]byte, length)
 	_, err = io.ReadFull(rand.Reader, bytes)
-  return
+	return
 }
 
 // A CSRF token is generated by encoding bytes read from crypto/rand as base64.
@@ -30,17 +30,17 @@ func generateNewToken(c *revel.Controller) (token string) {
 }
 
 func init() {
-  revel.OnAppStart(func() {
-    rawTokenLength = revel.Config.IntDefault("csrf.token.length", 32)
-    if rawTokenLength < 32 || rawTokenLength > 512 {
-      panic(fmt.Sprintf("REVEL_CSRF: csrf.token.length=%d: expected a length in [32..512]", rawTokenLength))
-    }
-    lengthCSRFToken = base64.StdEncoding.EncodedLen(rawTokenLength)
+	revel.OnAppStart(func() {
+		rawTokenLength = revel.Config.IntDefault("csrf.token.length", 32)
+		if rawTokenLength < 32 || rawTokenLength > 512 {
+			panic(fmt.Sprintf("REVEL_CSRF: csrf.token.length=%d: expected a length in [32..512]", rawTokenLength))
+		}
+		lengthCSRFToken = base64.StdEncoding.EncodedLen(rawTokenLength)
 
-	  // Check that cryptographically secure PRNG is available.
-    _, err := getRandomBytes(1)
-	  if err != nil {
-		  panic(fmt.Sprintf("REVEL_CSRF: crypto/rand is unavailable: Read() failed with %#v", err))
-	  }
-  })
+		// Check that cryptographically secure PRNG is available.
+		_, err := getRandomBytes(1)
+		if err != nil {
+			panic(fmt.Sprintf("REVEL_CSRF: crypto/rand is unavailable: Read() failed with %#v", err))
+		}
+	})
 }