cbonello / revel-csrf Goto Github PK

when I set cookies.secure=true in app.conf

csrf tokens get regenerated with each request to the server

not sure if this is a revel-csrf issue or revel's decryption cookies failing

Thanks for this filter, it's working great but I have found one small issue. I have a form with enctype="multipart/form-data", my guess is that this causes problems with sentToken = r.PostFormValue(fieldName). In this case my sentToken becomes an empty string and the csrf check fails.

revel moved to github.com/revel/revel

this is the error generated:

cannot use csrf.CSRFFilter (type func(*"github.com/robfig/revel".Controller, []"github.com/robfig/revel".Filter)) as type "github.com/revel/revel".Filter in array element

Has anybody ever used Revel tests with CSRF protected application? How tests can get CSRF token?

I can come up with the following solutions:

1. Parse some page and get token
2. Create an action which will return token when in dev mode.

Is there a better (less workaroundish) solution? How is this problem being solved in other frameworks?

Here is what I've managed to find:

1. Node.js/Express related solution: http://stackoverflow.com/questions/18773846/how-to-test-endpoints-protected-by-csrf-in-node-js-express
   • Parse cookie received by tests and find token there
   • When in dev mode use a constant for token rather than a random string
2. SAP in response to GET request with header X-CSRF-Token Value : Fetch returns token: https://scn.sap.com/thread/3484244

i found my production server crash without notice.
when more than 1 users access the system from another machine,
it somehow crashed

i ran manually your plugin with:
csrf.CSRFFilter(c, fc)

what could be the issue?

thanks

Use ViewArgs instead of RenderArgs

http://stackoverflow.com/questions/43105676/using-go-and-revel-getting-error-c-renderargs-is-undefined-possibly-outdated

Can you include a LICENSE file for your repo?

csrf is needed for revel, wish your code had a license

I wonder if the "same origination policy" implementation will override CORS policy or not. I have not tested it yet.

it seems to keep generating new csrf even for static assets files (js, css, img)
its causing the csrf to not work properly