diff --git a/main.go b/main.go index 168b4c3..2a69256 100644 --- a/main.go +++ b/main.go @@ -83,6 +83,13 @@ func csrfSecret() string { } return string(bytes) } +type CSRFErrorHandler struct {} + +func (self CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + fmt.Println("csrf Failure: ") + fmt.Println(csrf.FailureReason(r)) + fmt.Println("-----") +} func main() { fmt.Println("transmet ", VERSION) @@ -95,10 +102,14 @@ func main() { loadConfig(*envFlag) dbConnect() initTemplates() + //CSRF := csrf.Protect([]byte(csrfSecret())); r := init_route_handlers() - + errHandle := csrf.ErrorHandler( CSRFErrorHandler{} ) + sec := csrf.Secure(false) + fmt.Println("Listening on", config.Port, "...") - err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte(csrfSecret()))(r)) + + err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte("12345678901234567890123456789012"), errHandle, sec)(r)) //csrfSecret()))(r)) if err != nil { fmt.Println("Fatal Error: ", err) } diff --git a/route_handlers.go b/route_handlers.go index f6ee6ac..7e2e9be 100644 --- a/route_handlers.go +++ b/route_handlers.go @@ -76,6 +76,7 @@ func LoginFormHandler(w http.ResponseWriter, r *http.Request) { // TODO: proper per account and client flood control rate limiting // currently weak per call slow down is by-passable at scale func LoginPostHandler(w http.ResponseWriter, r *http.Request) { + fmt.Println("LoginPostHandler()") time.Sleep(500 * time.Millisecond) // WEAK poor mans rate limiting for logins r.ParseForm() username := r.PostFormValue("username") @@ -420,14 +421,24 @@ func ServeFileHandler(res http.ResponseWriter, req *http.Request) { } func init_route_handlers() *mux.Router { + + // Mux + CSRF r := mux.NewRouter() - r.Handle("/js/", http.StripPrefix("/js/", http.FileServer(http.Dir("js/")))) - r.Handle("/css/", http.StripPrefix("/css/", http.FileServer(http.Dir("css/")))) - r.Handle("/fonts/", http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/")))) + + // Basic Handle - static files - no CSRF wrapper + r.PathPrefix("/js/").Handler(http.StripPrefix("/js/", http.FileServer(http.Dir("js/")))) + r.PathPrefix("/css/").Handler(http.StripPrefix("/css/", http.FileServer(http.Dir("css/")))) + r.PathPrefix("/fonts/").Handler(http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/")))) r.HandleFunc("/favicon.ico", ServeFileHandler) - r.HandleFunc("/login", getPostHandler(LoginFormHandler, LoginPostHandler)) + + rGet := r.Methods("GET").Subrouter() + rPost := r.Methods("POST").Subrouter() + + rGet.HandleFunc("/login", LoginFormHandler) + rPost.HandleFunc("/login", LoginPostHandler) + r.HandleFunc("/logout", userHandler(LogoutHandler)) r.HandleFunc("/add", getPostHandler(userHandler(addFormHandler), userHandler(addPostHandler))) @@ -444,7 +455,7 @@ func init_route_handlers() *mux.Router { r.HandleFunc("/categories/add", userHandler(categoryAddHandler)) r.HandleFunc("/categories/delete", userHandler(categoryDeleteHandler)) - http.Handle("/", r) + //http.Handle("/", r) return r }