proof of concept csrf working. needs cleaning up and securing
This commit is contained in:
parent
1709429e98
commit
e07b20b531
13
main.go
13
main.go
|
@ -83,6 +83,13 @@ func csrfSecret() string {
|
|||
}
|
||||
return string(bytes)
|
||||
}
|
||||
type CSRFErrorHandler struct {}
|
||||
|
||||
func (self CSRFErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Println("csrf Failure: ")
|
||||
fmt.Println(csrf.FailureReason(r))
|
||||
fmt.Println("-----")
|
||||
}
|
||||
|
||||
func main() {
|
||||
fmt.Println("transmet ", VERSION)
|
||||
|
@ -95,10 +102,14 @@ func main() {
|
|||
loadConfig(*envFlag)
|
||||
dbConnect()
|
||||
initTemplates()
|
||||
//CSRF := csrf.Protect([]byte(csrfSecret()));
|
||||
r := init_route_handlers()
|
||||
errHandle := csrf.ErrorHandler( CSRFErrorHandler{} )
|
||||
sec := csrf.Secure(false)
|
||||
|
||||
fmt.Println("Listening on", config.Port, "...")
|
||||
err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte(csrfSecret()))(r))
|
||||
|
||||
err := http.ListenAndServe(":"+config.Port, csrf.Protect([]byte("12345678901234567890123456789012"), errHandle, sec)(r)) //csrfSecret()))(r))
|
||||
if err != nil {
|
||||
fmt.Println("Fatal Error: ", err)
|
||||
}
|
||||
|
|
|
@ -76,6 +76,7 @@ func LoginFormHandler(w http.ResponseWriter, r *http.Request) {
|
|||
// TODO: proper per account and client flood control rate limiting
|
||||
// currently weak per call slow down is by-passable at scale
|
||||
func LoginPostHandler(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Println("LoginPostHandler()")
|
||||
time.Sleep(500 * time.Millisecond) // WEAK poor mans rate limiting for logins
|
||||
r.ParseForm()
|
||||
username := r.PostFormValue("username")
|
||||
|
@ -420,14 +421,24 @@ func ServeFileHandler(res http.ResponseWriter, req *http.Request) {
|
|||
}
|
||||
|
||||
func init_route_handlers() *mux.Router {
|
||||
|
||||
// Mux + CSRF
|
||||
r := mux.NewRouter()
|
||||
|
||||
r.Handle("/js/", http.StripPrefix("/js/", http.FileServer(http.Dir("js/"))))
|
||||
r.Handle("/css/", http.StripPrefix("/css/", http.FileServer(http.Dir("css/"))))
|
||||
r.Handle("/fonts/", http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/"))))
|
||||
|
||||
// Basic Handle - static files - no CSRF wrapper
|
||||
r.PathPrefix("/js/").Handler(http.StripPrefix("/js/", http.FileServer(http.Dir("js/"))))
|
||||
r.PathPrefix("/css/").Handler(http.StripPrefix("/css/", http.FileServer(http.Dir("css/"))))
|
||||
r.PathPrefix("/fonts/").Handler(http.StripPrefix("/fonts", http.FileServer(http.Dir("fonts/"))))
|
||||
r.HandleFunc("/favicon.ico", ServeFileHandler)
|
||||
|
||||
r.HandleFunc("/login", getPostHandler(LoginFormHandler, LoginPostHandler))
|
||||
|
||||
rGet := r.Methods("GET").Subrouter()
|
||||
rPost := r.Methods("POST").Subrouter()
|
||||
|
||||
rGet.HandleFunc("/login", LoginFormHandler)
|
||||
rPost.HandleFunc("/login", LoginPostHandler)
|
||||
|
||||
r.HandleFunc("/logout", userHandler(LogoutHandler))
|
||||
|
||||
r.HandleFunc("/add", getPostHandler(userHandler(addFormHandler), userHandler(addPostHandler)))
|
||||
|
@ -444,7 +455,7 @@ func init_route_handlers() *mux.Router {
|
|||
r.HandleFunc("/categories/add", userHandler(categoryAddHandler))
|
||||
r.HandleFunc("/categories/delete", userHandler(categoryDeleteHandler))
|
||||
|
||||
http.Handle("/", r)
|
||||
//http.Handle("/", r)
|
||||
|
||||
return r
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue