zhimeng
/
ad_platform
2
0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 0 Wiki Activity
广告平台(站长使用)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
144 Commit
1 分支
4.2 MiB
 
 
 
 
 
目錄樹: 7115e80054
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '7115e80054'
${ noResults }
ad_platform/app/mw/mw_csrf.go

137 line
2.5 KiB
原始文件 Blame 文件歷史 

  1. package mw

  2. 

  3. import (

  4. 	"crypto/sha1"

  5. 	"encoding/base64"

  6. 	"errors"

  7. 	"io"

  8. 

  9. 	"github.com/dchest/uniuri"

  10. 	"github.com/gin-contrib/sessions"

  11. 	"github.com/gin-gonic/gin"

  12. )

  13. 

  14. // csrf,xsrf检查

  15. const (

  16. 	csrfSecret = "csrfSecret"

  17. 	csrfSalt   = "csrfSalt"

  18. 	csrfToken  = "csrfToken"

  19. )

  20. 

  21. var defaultIgnoreMethods = []string{"GET", "HEAD", "OPTIONS"}

  22. 

  23. var defaultErrorFunc = func(c *gin.Context) {

  24. 	panic(errors.New("CSRF token mismatch"))

  25. }

  26. 

  27. var defaultTokenGetter = func(c *gin.Context) string {

  28. 	r := c.Request

  29. 

  30. 	if t := r.FormValue("_csrf"); len(t) > 0 {

  31. 		return t

  32. 	} else if t := r.URL.Query().Get("_csrf"); len(t) > 0 {

  33. 		return t

  34. 	} else if t := r.Header.Get("X-CSRF-TOKEN"); len(t) > 0 {

  35. 		return t

  36. 	} else if t := r.Header.Get("X-XSRF-TOKEN"); len(t) > 0 {

  37. 		return t

  38. 	}

  39. 

  40. 	return ""

  41. }

  42. 

  43. // Options stores configurations for a CSRF middleware.

  44. type Options struct {

  45. 	Secret        string

  46. 	IgnoreMethods []string

  47. 	ErrorFunc     gin.HandlerFunc

  48. 	TokenGetter   func(c *gin.Context) string

  49. }

  50. 

  51. func tokenize(secret, salt string) string {

  52. 	h := sha1.New()

  53. 	io.WriteString(h, salt+"-"+secret)

  54. 	hash := base64.URLEncoding.EncodeToString(h.Sum(nil))

  55. 

  56. 	return hash

  57. }

  58. 

  59. func inArray(arr []string, value string) bool {

  60. 	inarr := false

  61. 

  62. 	for _, v := range arr {

  63. 		if v == value {

  64. 			inarr = true

  65. 			break

  66. 		}

  67. 	}

  68. 

  69. 	return inarr

  70. }

  71. 

  72. // Middleware validates CSRF token.

  73. func Middleware(options Options) gin.HandlerFunc {

  74. 	ignoreMethods := options.IgnoreMethods

  75. 	errorFunc := options.ErrorFunc

  76. 	tokenGetter := options.TokenGetter

  77. 

  78. 	if ignoreMethods == nil {

  79. 		ignoreMethods = defaultIgnoreMethods

  80. 	}

  81. 

  82. 	if errorFunc == nil {

  83. 		errorFunc = defaultErrorFunc

  84. 	}

  85. 

  86. 	if tokenGetter == nil {

  87. 		tokenGetter = defaultTokenGetter

  88. 	}

  89. 

  90. 	return func(c *gin.Context) {

  91. 		session := sessions.Default(c)

  92. 		c.Set(csrfSecret, options.Secret)

  93. 

  94. 		if inArray(ignoreMethods, c.Request.Method) {

  95. 			c.Next()

  96. 			return

  97. 		}

  98. 

  99. 		salt, ok := session.Get(csrfSalt).(string)

  100. 

  101. 		if !ok || len(salt) == 0 {

  102. 			errorFunc(c)

  103. 			return

  104. 		}

  105. 

  106. 		token := tokenGetter(c)

  107. 

  108. 		if tokenize(options.Secret, salt) != token {

  109. 			errorFunc(c)

  110. 			return

  111. 		}

  112. 

  113. 		c.Next()

  114. 	}

  115. }

  116. 

  117. // GetToken returns a CSRF token.

  118. func GetToken(c *gin.Context) string {

  119. 	session := sessions.Default(c)

  120. 	secret := c.MustGet(csrfSecret).(string)

  121. 

  122. 	if t, ok := c.Get(csrfToken); ok {

  123. 		return t.(string)

  124. 	}

  125. 

  126. 	salt, ok := session.Get(csrfSalt).(string)

  127. 	if !ok {

  128. 		salt = uniuri.New()

  129. 		session.Set(csrfSalt, salt)

  130. 		session.Save()

  131. 	}

  132. 	token := tokenize(secret, salt)

  133. 	c.Set(csrfToken, token)

  134. 

  135. 	return token

  136. }