Buffalo CSRF Middleware
License: MIT License
This is the repository for https://www.gobuffalo.io, the official website of the Buffalo ecosystem.
This documentation contains:
Contributing to this documentation site is a great, and easy, way to help make Buffalo better!
Note that this repository is only about Buffalo ecosystem documentation. If you want to contribute to the ecosystem itself, please refer to the concerned repository:
See the contribution guide for more info about how to contribute.
https://github.com/gobuffalo/mw-csrf/blob/master/csrf.go#L219
func unmask(issued []byte) []byte {
// Issued tokens are always masked and combined with the pad.
if len(issued) != tokenLength*2 {
return nil
}
// We now know the length of the byte slice.
otp := issued[tokenLength:]
masked := issued[:tokenLength]
// Unmask the token by XOR'ing it against the OTP used to mask it.
return xorToken(otp, masked)
}The mask append the xored token to otp, but the unmask func treats xored at the end.
As the result is the front half xor the latter half,the result is right.
I'm developing backend via GoBuffalo, hence I need CSRF check for POST/DELETE/PUT methods but MW-CSRF simply ignore these requests with Content-Type: application/json due to:
htmlTypes = []string{"html", "form", "plain", "*/*"}
.
.
.
req := c.Request()
ct := req.Header.Get("Content-Type")
if len(ct) == 0 {
ct = req.Header.Get("Accept")
}
// ignore non-html requests
if ct != "" && !contains(htmlTypes, ct) {
return next(c)
}Note: I'm using "github.com/rs/cors" too, the FrontEnd is under development using ReactJS.
What could I do?
With the actual implementation of http.Header, which basically wraps textproto.MIMEHeader the here defined header field X-CSRF-Token can never exists in an http.Header, because textproto.MIMEHeader applies textproto.CanonicalMIMEHeaderKey to every header key, inserted.
However, all would be fine, when X-CSRF-Token would be renamed to X-Csrf-Token.
Given my limited knowledge regarding go (just started a few weeks ago):
How to disable csrf for certain endpoints? I've tried to Middleware.Skip but somehow csrf is not a real middleware function.
Is it safe to use any other csrf packet?
Only 1 or to endpoints are API endpoints and I don't feel like put these into another module
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.