CSRF middleware for Gear.
go get -u github.com/teambition/gear-csrfpackage main
import (
"net/http"
"time"
"github.com/teambition/gear"
csrf "github.com/teambition/gear-csrf"
)
func main() {
app := gear.New()
router := gear.NewRouter()
CSRF := csrf.New("some_key", time.Minute*10)
// http://127.0.0.1:3000/csrf
router.Get("/csrf", func(ctx *gear.Context) error {
secret := CSRF.SecretFromCookie(ctx)
return ctx.JSON(http.StatusOK, map[string]string{
"secret": secret,
"token": CSRF.SignToken(secret),
})
})
// Enable the CSRF checking.
// http://127.0.0.1:3000/verify-csrf?csrf_token={token}
router.Get("/verify-csrf", CSRF.Serve, func(ctx *gear.Context) error {
secret := CSRF.SecretFromCookie(ctx)
return ctx.JSON(http.StatusOK, map[string]string{
"secret": secret,
"verify": "ok",
})
})
app.UseHandler(router)
app.Listen(":3000")
}gear-csrf uses a CSRF token to prevent the CSRF attack. A CSRF token is generated by a user secret and a salt. The user secret is shared by the user's client and the web server by cookie and then you should ensure every way to get the CSRF token in your web server application should not support CORS. So the attacker will not be able to get your CSRF token by his user secret. The salt here is used to prevent BREACH attack.
The docs can be found at godoc.org, as usual.
MIT