proof of concept csrf working. needs cleaning up and securing

This commit is contained in:
Dan Ballard 2015-11-07 15:32:28 -08:00
parent 1709429e98
commit e07b20b531
2 changed files with 29 additions and 7 deletions

13
main.go
View File

@ -83,6 +83,13 @@ func csrfSecret() string {
} }
return string(bytes) return string(bytes)
} }
type CSRFErrorHandler struct {}
func (self CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
fmt.Println("csrf Failure: ")
fmt.Println(csrf.FailureReason(r))
fmt.Println("-----")
}
func main() { func main() {
fmt.Println("transmet ", VERSION) fmt.Println("transmet ", VERSION)
@ -95,10 +102,14 @@ func main() {
loadConfig(*envFlag) loadConfig(*envFlag)
dbConnect() dbConnect()
initTemplates() initTemplates()
//CSRF := csrf.Protect([]byte(csrfSecret()));
r := init_route_handlers() r := init_route_handlers()
errHandle := csrf.ErrorHandler( CSRFErrorHandler{} )
sec := csrf.Secure(false)
fmt.Println("Listening on", config.Port, "...") fmt.Println("Listening on", config.Port, "...")
err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte(csrfSecret()))(r))
err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte("12345678901234567890123456789012"), errHandle, sec)(r)) //csrfSecret()))(r))
if err != nil { if err != nil {
fmt.Println("Fatal Error: ", err) fmt.Println("Fatal Error: ", err)
} }

View File

@ -76,6 +76,7 @@ func LoginFormHandler(w http.ResponseWriter, r *http.Request) {
// TODO: proper per account and client flood control rate limiting // TODO: proper per account and client flood control rate limiting
// currently weak per call slow down is by-passable at scale // currently weak per call slow down is by-passable at scale
func LoginPostHandler(w http.ResponseWriter, r *http.Request) { func LoginPostHandler(w http.ResponseWriter, r *http.Request) {
fmt.Println("LoginPostHandler()")
time.Sleep(500 * time.Millisecond) // WEAK poor mans rate limiting for logins time.Sleep(500 * time.Millisecond) // WEAK poor mans rate limiting for logins
r.ParseForm() r.ParseForm()
username := r.PostFormValue("username") username := r.PostFormValue("username")
@ -420,14 +421,24 @@ func ServeFileHandler(res http.ResponseWriter, req *http.Request) {
} }
func init_route_handlers() *mux.Router { func init_route_handlers() *mux.Router {
// Mux + CSRF
r := mux.NewRouter() r := mux.NewRouter()
r.Handle("/js/", http.StripPrefix("/js/", http.FileServer(http.Dir("js/"))))
r.Handle("/css/", http.StripPrefix("/css/", http.FileServer(http.Dir("css/")))) // Basic Handle - static files - no CSRF wrapper
r.Handle("/fonts/", http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/")))) r.PathPrefix("/js/").Handler(http.StripPrefix("/js/", http.FileServer(http.Dir("js/"))))
r.PathPrefix("/css/").Handler(http.StripPrefix("/css/", http.FileServer(http.Dir("css/"))))
r.PathPrefix("/fonts/").Handler(http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/"))))
r.HandleFunc("/favicon.ico", ServeFileHandler) r.HandleFunc("/favicon.ico", ServeFileHandler)
r.HandleFunc("/login", getPostHandler(LoginFormHandler, LoginPostHandler))
rGet := r.Methods("GET").Subrouter()
rPost := r.Methods("POST").Subrouter()
rGet.HandleFunc("/login", LoginFormHandler)
rPost.HandleFunc("/login", LoginPostHandler)
r.HandleFunc("/logout", userHandler(LogoutHandler)) r.HandleFunc("/logout", userHandler(LogoutHandler))
r.HandleFunc("/add", getPostHandler(userHandler(addFormHandler), userHandler(addPostHandler))) r.HandleFunc("/add", getPostHandler(userHandler(addFormHandler), userHandler(addPostHandler)))
@ -444,7 +455,7 @@ func init_route_handlers() *mux.Router {
r.HandleFunc("/categories/add", userHandler(categoryAddHandler)) r.HandleFunc("/categories/add", userHandler(categoryAddHandler))
r.HandleFunc("/categories/delete", userHandler(categoryDeleteHandler)) r.HandleFunc("/categories/delete", userHandler(categoryDeleteHandler))
http.Handle("/", r) //http.Handle("/", r)
return r return r
} }