forked from dinever/golf
/
xsrf.go
61 lines (54 loc) · 1.23 KB
/
xsrf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package golf
import (
"encoding/hex"
"math/rand"
"time"
)
const chars = "abcdefghijklmnopqrstuvwxyz0123456789"
func randomBytes(strlen int) []byte {
rand.Seed(time.Now().UTC().UnixNano())
result := make([]byte, strlen)
for i := 0; i < strlen; i++ {
result[i] = chars[rand.Intn(len(chars))]
}
return result
}
func decodeXSRFToken(maskedToken string) ([]byte, []byte, error) {
maskedTokenBytes, err := hex.DecodeString(maskedToken)
if err != nil {
return nil, nil, err
}
mask := maskedTokenBytes[0:4]
token := websocketMask(mask, maskedTokenBytes[4:])
return mask, token, nil
}
func websocketMask(mask, data []byte) []byte {
for i, v := range data {
data[i] = v ^ mask[i%4]
}
return data
}
func compareToken(tokenA, tokenB []byte) bool {
if tokenA == nil && tokenB == nil {
return true
}
if tokenA == nil || tokenB == nil {
return false
}
if len(tokenA) != len(tokenB) {
return false
}
for i := range tokenA {
if tokenA[i] != tokenB[i] {
return false
}
}
return true
}
func newXSRFToken() string {
tokenBytes := randomBytes(32)
maskBytes := randomBytes(4)
maskedTokenBytes := append(maskBytes, websocketMask(maskBytes, tokenBytes)...)
maskedToken := hex.EncodeToString(maskedTokenBytes)
return maskedToken
}