Added configuration options and route exemptions

Author: cbonello

README.md

@@ -7,18 +7,23 @@ prevention for the [Revel framework](https://github.com/robfig/revel).
 Code is based on the `nosurf` package implemented by
 [Justinas Stankevičius](https://github.com/justinas/nosurf).
 
-## Limitations
-
-Package does not yet include provision to exempt specific routes from
-CSRF checks.
-
 ## Installation
 
     go get github.com/cbonello/revel-csrf
 
+## Configuration options
+
+Revel-csrf supports following configuration options in `app.conf`:
+
+* `csrf.ajax`
+A boolean value that indicates whether or not `revel-csrf` should support the injection and verification of CSRF tokens for XMLHttpRequests. Default value is `false`.
+
+* `csrf.token.length`
+An integer value that defines the number of characters that should be found within CSRF tokens. Token length should be in [32..512] and default value is 32 characters.
+
 ## Operating instructions
 
-Simply call the CSRFFilter() filter from init.go:   
+Simply call the CSRFFilter() filter in `app/init.go` right after `revel.SessionFilter`. The CSRF token is saved in the session cookie.  
 
     package app
 
@@ -35,8 +40,8 @@ Simply call the CSRFFilter() filter from init.go:
 		    revel.FilterConfiguringFilter, // A hook for adding or removing per-Action filters.
 		    revel.ParamsFilter,            // Parse parameters into Controller.Params.
 		    revel.SessionFilter,           // Restore and write the session cookie.
-		    revel.FlashFilter,             // Restore and write the flash cookie.
 		     csrf.CSRFFilter,              // CSRF prevention.
+		    revel.FlashFilter,             // Restore and write the flash cookie.
 		    revel.ValidationFilter,        // Restore kept validation errors and save new ones from cookie.
 		    revel.I18nFilter,              // Resolve the requested language
 		    revel.InterceptorFilter,       // Run interceptors around the action.
@@ -91,8 +96,9 @@ A demo application is provided in the samples directory. To launch it:
 
 ## TODO
 
-* Routes exemption.
-* Logger.
 * Unique token per-page.
-* Configuration options.
 * Test cases.
+
+## CONTRIBUTORS
+* Otto Bretz
+* Allen Dang

csrf.go

@@ -4,104 +4,101 @@
 package csrf
 
 import (
-  "crypto/subtle"
-  "github.com/golang/glog"
-  "github.com/robfig/revel"
-  "net/url"
-  "regexp"
+	"crypto/subtle"
+	"github.com/golang/glog"
+	"github.com/robfig/revel"
+	"net/url"
+	"regexp"
 )
 
 const (
-  cookieName = "csrf_token"
-  fieldName  = "csrf_token"
-  headerName = "X-CSRF-Token"
+	cookieName = "csrf_token"
+	fieldName  = "csrf_token"
+	headerName = "X-CSRF-Token"
 )
 
 var (
-  errNoReferer  = "A secure request contained no Referer or its value was malformed."
-  errBadReferer = "Same-origin policy failure."
-  errBadToken   = "CSRF tokens mismatch."
+	errNoReferer  = "REVEL_CSRF: A secure request contained no Referer or its value was malformed."
+	errBadReferer = "REVEL_CSRF: Same-origin policy failure."
+	errBadToken   = "REVEL_CSRF: tokens mismatch."
+	safeMethods = regexp.MustCompile("^(GET|HEAD|OPTIONS|TRACE)$")
 )
 
 var CSRFFilter = func(c *revel.Controller, fc []revel.Filter) {
-  r := c.Request.Request
+	r := c.Request.Request
 
-  // OWASP; General Recommendation: Synchronizer Token Pattern.
-  // CSRF tokens must be associated with the user's current session.
-  tokenCookie, found := c.Session[cookieName]
-  realToken := ""
-  if !found {
-    realToken = generateNewToken(c)
-  } else {
-    realToken = tokenCookie
-    glog.V(0).Infof("Session's CSRF token: '%s'", realToken)
-    if len(realToken) != tokenLength {
-      // Wrong length; token has either been tampered with, we're migrating
-      // onto a new algorithm for generating tokens, or a new session has
-      // been initiated. In any case, a new token is generated and the
-      // error will be detected later.
-      glog.V(0).Infof("Bad CSRF token length: found %d, expected %d",
-        len(realToken), tokenLength)
-      realToken = generateNewToken(c)
-    }
-  }
+	// [OWASP]; General Recommendation: Synchronizer Token Pattern:
+	// CSRF tokens must be associated with the user's current session.
+	tokenCookie, found := c.Session[cookieName]
+	realToken := ""
+	if !found {
+		realToken = generateNewToken(c)
+	} else {
+		realToken = tokenCookie
+		glog.V(2).Infof("REVEL-CSRF: Session's token: '%s'", realToken)
+		if len(realToken) != lengthCSRFToken {
+			// Wrong length; token has either been tampered with, we're migrating
+			// onto a new algorithm for generating tokens, or a new session has
+			// been initiated. In any case, a new token is generated and the
+			// error will be detected later.
+			glog.V(2).Infof("REVEL_CSRF: Bad token length: found %d, expected %d",
+				len(realToken), lengthCSRFToken)
+			realToken = generateNewToken(c)
+		}
+	}
 
-  c.RenderArgs[fieldName] = realToken
+	c.RenderArgs[fieldName] = realToken
 
-  // See http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Safe_methods
-  safeMethod, _ := regexp.MatchString("^(GET|HEAD|OPTIONS|TRACE)$", r.Method)
-  if !safeMethod {
-    glog.V(0).Infof("Unsafe %s method...", r.Method)
-    if r.URL.Scheme == "https" {
-      // See OWASP; Checking the Referer Header.
-      referer, err := url.Parse(r.Header.Get("Referer"))
-      if err != nil || referer.String() == "" {
-        // Parse error or empty referer.
-        c.Result = c.Forbidden(errNoReferer)
-        return
-      }
-      // See OWASP; Checking the Origin Header.
-      if !sameOrigin(referer, r.URL) {
-        c.Result = c.Forbidden(errBadReferer)
-        return
-      }
-    }
+	// See http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Safe_methods
+	unsafeMethod := !safeMethods.MatchString(r.Method)
+	if unsafeMethod && !IsExempted(r.URL.Path) {
+		glog.V(2).Infof("REVEL-CSRF: Processing unsafe '%s' method...", r.Method)
+		if r.URL.Scheme == "https" {
+			// See [OWASP]; Checking the Referer Header.
+			referer, err := url.Parse(r.Header.Get("Referer"))
+			if err != nil || referer.String() == "" {
+				// Parse error or empty referer.
+				c.Result = c.Forbidden(errNoReferer)
+				return
+			}
+			// See [OWASP]; Checking the Origin Header.
+			if !sameOrigin(referer, r.URL) {
+				c.Result = c.Forbidden(errBadReferer)
+				return
+			}
+		}
 
-    // Accept CSRF token in the custom HTTP header X-CSRF-Token, as well as
-    // in the form submission itself, for ease of use with popular JavaScript
-    // toolkits which allow insertion of custom headers into all AJAX
-    // requests. See http://erlend.oftedal.no/blog/?blogid=118
-    sentToken := r.Header.Get(headerName)
-    if sentToken == "" {
-      sentToken = c.Params.Get(fieldName)
-    }
-    glog.V(0).Infof("CSRF token received: '%s'", sentToken)
+		sentToken := ""
+		if ajaxSupport := revel.Config.BoolDefault("csrf.ajax", false); ajaxSupport {
+		  // Accept CSRF token in the custom HTTP header X-CSRF-Token, for ease
+		  // of use with popular JavaScript toolkits which allow insertion of
+		  // custom headers into all AJAX requests.
+		  // See http://erlend.oftedal.no/blog/?blogid=118
+		  sentToken = r.Header.Get(headerName)
+		}
+		if sentToken == "" {
+			// Get CSRF token from form.
+		  sentToken = c.Params.Get(fieldName)
+		}
+		glog.V(2).Infof("REVEL-CSRF: Token received from client: '%s'", sentToken)
 
-    if len(sentToken) != len(realToken) {
-      c.Result = c.Forbidden(errBadToken)
-      return
-    } else {
-      comparison := subtle.ConstantTimeCompare([]byte(sentToken), []byte(realToken))
-      if comparison != 1 {
-        c.Result = c.Forbidden(errBadToken)
-        return
-      }
-    }
-  }
-  glog.V(0).Infoln("CSRF token successfully checked.")
+		if len(sentToken) != len(realToken) {
+			c.Result = c.Forbidden(errBadToken)
+			return
+		}
+		comparison := subtle.ConstantTimeCompare([]byte(sentToken), []byte(realToken))
+		if comparison != 1 {
+			c.Result = c.Forbidden(errBadToken)
+			return
+		}
+		glog.V(2).Infoln("REVEL-CSRF: Token successfully checked.")
+	}
 
-  fc[0](c, fc[1:])
+	fc[0](c, fc[1:])
 }
 
 // See http://en.wikipedia.org/wiki/Same-origin_policy
 func sameOrigin(u1, u2 *url.URL) bool {
-  return (u1.Scheme == u2.Scheme && u1.Host == u2.Host)
+	return (u1.Scheme == u2.Scheme && u1.Host == u2.Host)
 }
 
-// Generate a new CSRF token.
-func generateNewToken(c *revel.Controller) string {
-  token := generateToken()
-  glog.V(0).Infof("Generated new CSRF Token: '%s'", token)
-  c.Session[cookieName] = token
-  return token
-}

samples/demo/app/controllers/app.go

@@ -15,6 +15,12 @@ func (c App) Index() revel.Result {
 }
 
 func (c App) Hello(name string) revel.Result {
+	route := c.Request.Request.URL.Path
+	exempted := (route == "/HelloExempted")
+	return c.Render(name, exempted)
+}
+
+func (c App) Hello123Exempted(name string) revel.Result {
 	return c.Render(name)
 }
 

samples/demo/app/init.go

@@ -13,11 +13,14 @@ func init() {
 		revel.FilterConfiguringFilter, // A hook for adding or removing per-Action filters.
 		revel.ParamsFilter,            // Parse parameters into Controller.Params.
 		revel.SessionFilter,           // Restore and write the session cookie.
-		revel.FlashFilter,             // Restore and write the flash cookie.
 		 csrf.CSRFFilter,              // CSRF prevention.
+		revel.FlashFilter,             // Restore and write the flash cookie.
 		revel.ValidationFilter,        // Restore kept validation errors and save new ones from cookie.
 		revel.I18nFilter,              // Resolve the requested language
 		revel.InterceptorFilter,       // Run interceptors around the action.
 		revel.ActionInvoker,           // Invoke the action.
 	}
+
+	csrf.ExemptedFullPath("/HelloExempted")
+	csrf.ExemptedGlob("/Hello[0-9]?3/Exempted")
 }

samples/demo/app/views/App/Hello.html

@@ -18,9 +18,38 @@ <h1>{{if .name}}Hello {{ .name }}{{else}}Hello anonymous user{{end}}</h1>
             {{template "flash.html" .}}
         </div>
     </div>
-</div>
-
-<div class="container">
+{{if .exempted}}
+    <div class="row">
+        <h2>This route is exempted from CSRF checks.</h2>
+        <p>
+            See <b>github.com/cbonello/revel-csrf/samples/demo/app/init.go</b>: csrf.ExemptedFullPath("/HelloExempted")
+        </p>
+    </div>
+    <div class="row">
+        <p>
+            Clicking on the Go Back link will trigger generation of a new index
+            page and reset the CSRF token to a valid value. Click on your browser's
+            Back button if you want to keep the altered CSRF token. This behaviour
+            is caused by the demo implementation and does not exhibits any bug in
+            revel-csrf.
+        </p>
+        <p>
+            <b>Note:</b> Clicking on Go Back is your best option if you reached
+            this page through an AJAX call. But that will reset the CSRF token to
+            a valid value!
+        </p>
+    </div>
+{{else}}
+    <div class="row">
+        <h2>This route is not exempted from CSRF checks.</h2>
+    </div>
+    <div class="row">
+        <p>
+            <b>Note:</b> Clicking on Go Back is your best option if you reached
+            this page through an AJAX call.
+        </p>
+    </div>
+{{end}}
     <div class="row">
         <div class="span12">
             <a href="/">Go Back</a>

samples/demo/app/views/App/Hello123Exempted.html

@@ -21,7 +21,7 @@ <h1>{{if .name}}Hello {{ .name }}{{else}}Hello anonymous user{{end}}</h1>
     <div class="row">
         <h2>This route is exempted from CSRF checks.</h2>
         <p>
-            See <b>app/init.go</b>: csrf.ExemptedGlob("/Hello[0-9]?3/Exempted")
+            See <b>github.com/cbonello/revel-csrf/samples/demo/app/init.go</b>: csrf.ExemptedGlob("/Hello[0-9]?3/Exempted")
         </p>
     </div>
     <div class="row">