99 lines
2.5 KiB
Go
99 lines
2.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func randomToken(n int) (string, error) {
|
|
b := make([]byte, n)
|
|
if _, err := rand.Read(b); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.RawURLEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
// EnsureCSRFCookie sets a csrf_token cookie if it's missing.
|
|
//
|
|
// Uses SameSite=Strict to reduce cross-site cookie sending.
|
|
// HttpOnly must be false so browser JS can read it and send it back in a header.
|
|
func EnsureCSRFCookie() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
if tok, err := c.Cookie("csrf_token"); err != nil || tok == "" {
|
|
if tok, err := randomToken(32); err == nil {
|
|
secure := os.Getenv("USE_HTTPS") == "true"
|
|
http.SetCookie(c.Writer, &http.Cookie{
|
|
Name: "csrf_token",
|
|
Value: tok,
|
|
Path: "/",
|
|
Secure: secure,
|
|
HttpOnly: false,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
}
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// CSRFMiddleware enforces CSRF checks on unsafe methods for cookie-authenticated requests.
|
|
//
|
|
// - Skips safe methods (GET/HEAD/OPTIONS).
|
|
// - Skips requests using Authorization: Bearer (non-cookie API clients).
|
|
// - Enforces only when auth_token cookie is present (browser session).
|
|
//
|
|
// Validation uses the double-submit cookie pattern:
|
|
// cookie csrf_token must match X-CSRF-Token header OR _csrf form field.
|
|
func CSRFMiddleware() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
m := c.Request.Method
|
|
if m == http.MethodGet || m == http.MethodHead || m == http.MethodOptions {
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
if strings.HasPrefix(c.GetHeader("Authorization"), "Bearer ") {
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Only enforce when cookie auth is in play
|
|
if _, err := c.Cookie("auth_token"); err != nil {
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Extra hardening: basic Origin check when present.
|
|
if origin := c.GetHeader("Origin"); origin != "" {
|
|
host := c.Request.Host
|
|
if !strings.Contains(origin, host) {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "csrf origin blocked"})
|
|
return
|
|
}
|
|
}
|
|
|
|
cookieTok, err := c.Cookie("csrf_token")
|
|
if err != nil || cookieTok == "" {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "missing csrf cookie"})
|
|
return
|
|
}
|
|
|
|
reqTok := c.GetHeader("X-CSRF-Token")
|
|
if reqTok == "" {
|
|
reqTok = c.PostForm("_csrf")
|
|
}
|
|
|
|
if reqTok == "" || reqTok != cookieTok {
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "bad csrf token"})
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|