This repository has been archived by the owner on Dec 10, 2020. It is now read-only.
/
advanced.go
78 lines (62 loc) · 1.9 KB
/
advanced.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// Demonstrates advanced usage of nosurf in conjuction with net/http:
// * wrapping DefaultServeMux (http.Handle(), etc.)
// * exempting URLs
// * setting your own failure handler
package main
import (
"fmt"
"html/template"
"net/http"
"github.com/danjac/podbaby/Godeps/_workspace/src/github.com/justinas/nosurf"
)
var templateString = `
<!doctype html>
<html>
<body>
{{ if .name }}
<p>Your name: {{ .name }}</p>
{{ end }}
<form action="" method="POST">
<input type="text" name="name">
<input type="hidden" name="csrf_token" value="{{ .token }}">
<input type="submit" value="Send">
</form>
</body>
</html>
`
var templ = template.Must(template.New("t1").Parse(templateString))
var esc = template.HTMLEscapeString
func Index(w http.ResponseWriter, r *http.Request) {
context := map[string]string{
"token": nosurf.Token(r),
}
if r.Method == "POST" {
context["name"] = r.FormValue("name")
}
templ.Execute(w, context)
}
func Handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Name: %s", esc(r.FormValue("name")))
}
func failHand(w http.ResponseWriter, r *http.Request) {
// will return the reason of the failure
fmt.Fprintf(w, "%s\n", nosurf.Reason(r))
}
func main() {
http.HandleFunc("/", Index)
// when you route urls with .Handle[Func]() they end up on DefaultServeMux
csrfHandler := nosurf.New(http.DefaultServeMux)
// exempting by an exact path...
// won't exempt /faq/question-1
csrfHandler.ExemptPath("/faq")
// exempting by a glob
// will exempt /post, /post1, /post2, etc.
// won't exempt /post1/comments, as * stops at a /
csrfHandler.ExemptGlob("/post*")
// exempting by a regexp
// will exempt /static, /static/, /static/favicon.ico, /static/css/style.css, etc.
csrfHandler.ExemptRegexp("/static(.*)")
// setting the failureHandler. Will call this in case the CSRF check fails.
csrfHandler.SetFailureHandler(http.HandlerFunc(failHand))
http.ListenAndServe(":8000", csrfHandler)
}