first commit

Author: cbonello

samples/demo/.gitignore

@@ -0,0 +1,3 @@
+test-results/
+tmp/
+routes/

samples/demo/app/controllers/app.go

@@ -0,0 +1,28 @@
+package controllers
+
+import (
+    "github.com/robfig/revel"
+    "csrf-nosurf/app/routes"
+    "fmt"
+)
+
+type App struct {
+	*revel.Controller
+}
+
+func (c App) Index() revel.Result {
+	return c.Render()
+}
+
+func (c App) Hello(name string) revel.Result {
+	return c.Render(name)
+}
+
+func (c App) Logout(name string) revel.Result {
+	fmt.Printf("Deleting session keys...\n")
+	for k := range c.Session {
+		fmt.Printf("Deleting Session[%s]: '%s'\n", k, c.Session[k])
+		delete(c.Session, k)
+	}
+	return c.Redirect(routes.App.Index())
+}

samples/demo/app/init.go

@@ -0,0 +1,23 @@
+package app
+
+import (
+    "github.com/cbonello/revel-csrf"
+    "github.com/robfig/revel"
+)
+
+func init() {
+	// Filters is the default set of global filters.
+	revel.Filters = []revel.Filter{
+		revel.PanicFilter,             // Recover from panics and display an error page instead.
+		revel.RouterFilter,            // Use the routing table to select the right Action
+		revel.FilterConfiguringFilter, // A hook for adding or removing per-Action filters.
+		revel.ParamsFilter,            // Parse parameters into Controller.Params.
+		revel.SessionFilter,           // Restore and write the session cookie.
+		revel.FlashFilter,             // Restore and write the flash cookie.
+		 csrf.CSRFFilter,              // CSRF prevention.
+		revel.ValidationFilter,        // Restore kept validation errors and save new ones from cookie.
+		revel.I18nFilter,              // Resolve the requested language
+		revel.InterceptorFilter,       // Run interceptors around the action.
+		revel.ActionInvoker,           // Invoke the action.
+	}
+}

samples/demo/app/views/App/Hello.html

@@ -0,0 +1,31 @@
+{{set . "title" "Home"}}
+{{template "header.html" .}}
+
+<header class="hero-unit" style="background-color:#A9F16C">
+    <div class="container">
+        <div class="row">
+            <div class="hero-text">
+                <h1>{{if .name}}Hello {{ .name }}{{else}}Hello anonymous user{{end}}</h1>
+                <p></p>
+            </div>
+        </div>
+    </div>
+</header>
+
+<div class="container">
+    <div class="row">
+        <div class="span6">
+            {{template "flash.html" .}}
+        </div>
+    </div>
+</div>
+
+<div class="container">
+    <div class="row">
+        <div class="span12">
+            <a href="/">Go Back</a>
+        </div>
+    </div>
+</div>
+
+{{template "footer.html" .}}

samples/demo/app/views/App/Index.html

@@ -0,0 +1,131 @@
+{{set . "title" "Home"}}
+{{template "header.html" .}}
+
+<header class="hero-unit" style="background-color:#A9F16C">
+    <div class="container">
+        <div class="row">
+            <div class="hero-text">
+                <h1>It works!</h1>
+                <p></p>
+            </div>
+        </div>
+    </div>
+</header>
+
+<div class="container">
+    <div class="row">
+        <div class="span6">
+            {{template "flash.html" .}}
+        </div>
+    </div>
+</div>
+
+<div class="container">
+    <div class="row" style="padding-bottom: 25px;">
+        <a href="/Logout" class="btn btn-success" data-toggle="tooltip"
+            title="Clear session to force generation of a new CSRF token">Clear Session</a>
+        <a href="#AlterModal" id="alterCSRFButton" role="button" class="btn btn-danger"
+            data-toggle="tooltip" title="Alter CSRF token so that subsequent connections with server fail">Alter CSRF Token</a>
+    </div>
+    <div class="row">
+        <form class="form-inline" action="/Hello" method="POST">
+            <input type="text" name="name" />
+            <input type="hidden" id="CSRFToken" name="csrf_token" value="{{ .csrf_token }}" />
+            <button type="submit" class="btn btn-primary">Send (POST Method)</button>
+        </form>
+    </div>
+    <div class="row" style="padding-bottom: 25px;">
+        <form id="AJAXForm" class="form-inline">
+            <input id="AJAXFormName" type="text" name="name" />
+            <button type="submit" class="btn btn-primary">Send (AJAX POST Call)</button>
+        </form>
+    </div>
+</div>
+<div class="container">
+    <div class="row">
+        <div class="span2">CSRF token:</div>
+        <div id="CSRFTokenDisplay" class="span10">{{ .csrf_token }}</div>
+    </div>
+</div>
+<div class="container" id="cookies">
+    <h3>Cookies</h3>
+</div>
+
+<div id="AlterModal" class="modal hide" tabindex="-1" role="dialog" aria-labelledby="AlterModalLabel" aria-hidden="true">
+    <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
+        <h3 id="AlterModalLabel">Warning</h3>
+    </div>
+    <div class="modal-body">
+        <p>
+            Hidden CSRF token (in form) has been tampered and subsequent connections
+            to server should fail. Clear session to restore.
+         </p>
+         <p>
+            For some reason, CSRF token will still have its old value if you display
+            the source code. But it has really been updated, trust me!
+         </p>
+    </div>
+    <div class="modal-footer">
+        <button class="btn" data-dismiss="modal" aria-hidden="true">Close</button>
+    </div>
+</div>
+
+<script src="/public/js/bootstrap.min.js" type="text/javascript" charset="utf-8"></script>
+
+<script>
+function listCookies() {
+    var cookies = document.cookie.split(';');
+    for (var i = 0 ; i < cookies.length; i++) {
+        c = cookies[i].split('=');
+        $("#cookies").append('<p><div class="row"><div class="span2">'+c[0]+'</div><div class="span10">'+c[1]+'</div></div></p>');
+    }
+}
+
+function csrfSafeMethod(method) {
+    // These HTTP methods do not require CSRF protection.
+    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
+}
+
+$.ajaxSetup({
+    cache: false,
+    crossDomain: false,
+    beforeSend: function(xhr, settings) {
+        if (!csrfSafeMethod(settings.type)) {
+            xhr.setRequestHeader("X-CSRF-Token", $("#CSRFTokenDisplay").text());
+        }
+    }
+});
+
+$( document ).ready(function() {
+    $("#alterCSRFButton").click(function() {
+        var alteredToken = $("#CSRFToken").val().concat("REVEL");
+        $("input[id='CSRFToken']").val(alteredToken);
+        $("#CSRFTokenDisplay").text(alteredToken);
+        $("#AlterModal").modal("show");
+    });
+
+    $("#AJAXForm").submit(function(event){
+        event.preventDefault();
+
+        $.ajax({
+            type: "POST",
+            url: "/Hello",
+            data: {
+                name: $("#AJAXFormName").val()
+            },
+            success: function(data) {
+                // Switch to HTML code returned by server on success.
+                jQuery("body").html(data);
+            },
+            error: function(jqXHR, status, errorThrown) {
+                alert(jqXHR.statusText);
+            },
+        });
+    });
+
+    listCookies();
+});
+</script>
+
+{{template "footer.html" .}}

samples/demo/app/views/debug.html

@@ -0,0 +1,62 @@
+<style type="text/css">
+	#sidebar {
+		position: absolute;
+		right: 0px;
+		top:69px;
+		max-width: 75%;
+		z-index: 1000;
+		background-color: #fee;
+		border: thin solid grey;
+		padding: 10px;
+	}
+	#toggleSidebar {
+		position: absolute;
+		right: 0px;
+		top: 50px;
+		background-color: #fee;
+	}
+
+</style>
+<div id="sidebar" style="display:none;">
+	<h4>Available pipelines</h4>
+	<dl>
+	{{ range $index, $value := .}}
+		<dt>{{$index}}</dt>
+		<dd>{{$value}}</dd>
+	{{end}}
+	</dl>
+	<h4>Flash</h4>
+	<dl>
+	{{ range $index, $value := .flash}}
+		<dt>{{$index}}</dt>
+		<dd>{{$value}}</dd>
+	{{end}}
+	</dl>
+
+	<h4>Errors</h4>
+	<dl>
+	{{ range $index, $value := .errors}}
+		<dt>{{$index}}</dt>
+		<dd>{{$value}}</dd>
+	{{end}}
+	</dl>
+</div>
+<a id="toggleSidebar" href="#" class="toggles"><i class="icon-chevron-left"></i></a>
+
+<script>
+	$sidebar = 0;
+	$('#toggleSidebar').click(function() {
+		if ($sidebar === 1) {
+			$('#sidebar').hide();
+			$('#toggleSidebar i').addClass('icon-chevron-left');
+			$('#toggleSidebar i').removeClass('icon-chevron-right');
+			$sidebar = 0;
+		}
+		else {
+			$('#sidebar').show();
+			$('#toggleSidebar i').addClass('icon-chevron-right');
+			$('#toggleSidebar i').removeClass('icon-chevron-left');
+			$sidebar = 1;
+		}
+	});
+</script>

samples/demo/app/views/errors/404.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+		<title>Not found</title>
+	</head>
+	<body>
+{{if eq .RunMode "dev"}}
+{{template "errors/404-dev.html" .}}
+{{else}}
+	{{with .Error}}
+	<h1>
+		{{.Title}}
+	</h1>
+	<p>
+		{{.Description}}
+	</p>
+	{{end}}
+{{end}}
+	</body>
+</html>

samples/demo/app/views/errors/500.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>Application error</title>
+	</head>
+	<body>
+		{{if eq .RunMode "dev"}}
+		{{template "errors/500-dev.html" .}}
+		{{else}}
+		<h1>Oops, an error occured</h1>
+		<p>
+			This exception has been logged.
+		</p>
+		{{end}}
+	</body>
+</html>

samples/demo/app/views/flash.html

@@ -0,0 +1,18 @@
+{{if .flash.success}}
+<div class="alert alert-success">
+	{{.flash.success}}
+</div>
+{{end}}
+
+{{if or .errors .flash.error}}
+<div class="alert alert-error">
+	{{if .flash.error}}
+		{{.flash.error}}
+	{{end}}
+	<ul style="margin-top:10px;">
+		{{range .errors}}
+			<li>{{.}}</li>
+		{{end}}
+	</ul>
+</div>
+{{end}}

samples/demo/app/views/footer.html

@@ -0,0 +1,5 @@
+  {{if eq .RunMode "dev"}}
+    {{template "debug.html" .}}
+  {{end}}
+  </body>
+</html>

samples/demo/app/views/header.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+
+<html>
+    <head>
+        <title>{{.title}}</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+        <link rel="stylesheet" type="text/css" href="/public/css/bootstrap.css">
+        <link rel="shortcut icon" type="image/png" href="/public/img/favicon.png">
+        <script src="/public/js/jquery-1.9.1.min.js" type="text/javascript" charset="utf-8"></script>
+        {{range .moreStyles}}
+            <link rel="stylesheet" type="text/css" href="/public/{{.}}">
+        {{end}}
+        {{range .moreScripts}}
+            <script src="/public/{{.}}" type="text/javascript" charset="utf-8"></script>
+        {{end}}
+    </head>
+<body>