🔒 Improved CSRF middleware configuration
This commit is contained in:
parent
e463a437ee
commit
98b6d77dc1
|
@ -123,13 +123,15 @@ func (h *RequestHandler) Register(r *router.Router) {
|
||||||
chain := middleware.Chain{
|
chain := middleware.Chain{
|
||||||
middleware.CSRFWithConfig(middleware.CSRFConfig{
|
middleware.CSRFWithConfig(middleware.CSRFConfig{
|
||||||
Skipper: func(ctx *http.RequestCtx) bool {
|
Skipper: func(ctx *http.RequestCtx) bool {
|
||||||
return ctx.IsPost() && string(ctx.Path()) == "/authorize"
|
matched, _ := path.Match("/authorize*", string(ctx.Path()))
|
||||||
|
|
||||||
|
return ctx.IsPost() && matched
|
||||||
},
|
},
|
||||||
CookieMaxAge: 0,
|
CookieMaxAge: 0,
|
||||||
CookieSameSite: http.CookieSameSiteStrictMode,
|
CookieSameSite: http.CookieSameSiteStrictMode,
|
||||||
ContextKey: "",
|
ContextKey: "csrf",
|
||||||
CookieDomain: "",
|
CookieDomain: h.config.Server.Domain,
|
||||||
CookieName: "_csrf",
|
CookieName: "__Secure-csrf",
|
||||||
CookiePath: "",
|
CookiePath: "",
|
||||||
TokenLookup: "form:_csrf",
|
TokenLookup: "form:_csrf",
|
||||||
TokenLength: 0,
|
TokenLength: 0,
|
||||||
|
@ -226,6 +228,7 @@ func (h *RequestHandler) handleRender(ctx *http.RequestCtx) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *RequestHandler) handleVerify(ctx *http.RequestCtx) {
|
func (h *RequestHandler) handleVerify(ctx *http.RequestCtx) {
|
||||||
|
ctx.Response.Header.Set(http.HeaderAccessControlAllowOrigin, h.config.Server.Domain)
|
||||||
ctx.SetContentType(common.MIMEApplicationJSONCharsetUTF8)
|
ctx.SetContentType(common.MIMEApplicationJSONCharsetUTF8)
|
||||||
|
|
||||||
encoder := json.NewEncoder(ctx)
|
encoder := json.NewEncoder(ctx)
|
||||||
|
@ -399,6 +402,7 @@ func NewAuthVerifyRequest() *AuthVerifyRequest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//nolint: funlen
|
||||||
func (r *AuthVerifyRequest) bind(ctx *http.RequestCtx) error {
|
func (r *AuthVerifyRequest) bind(ctx *http.RequestCtx) error {
|
||||||
indieAuthError := new(domain.Error)
|
indieAuthError := new(domain.Error)
|
||||||
|
|
||||||
|
|
|
@ -65,10 +65,10 @@ func (h *RequestHandler) Register(r *router.Router) {
|
||||||
return ctx.IsPost() && matched
|
return ctx.IsPost() && matched
|
||||||
},
|
},
|
||||||
CookieMaxAge: 0,
|
CookieMaxAge: 0,
|
||||||
CookieSameSite: http.CookieSameSiteLaxMode,
|
CookieSameSite: http.CookieSameSiteStrictMode,
|
||||||
ContextKey: "csrf",
|
ContextKey: "csrf",
|
||||||
CookieDomain: "",
|
CookieDomain: h.config.Server.Domain,
|
||||||
CookieName: "_csrf",
|
CookieName: "__Secure-csrf",
|
||||||
CookiePath: "",
|
CookiePath: "",
|
||||||
TokenLookup: "form:_csrf",
|
TokenLookup: "form:_csrf",
|
||||||
TokenLength: 0,
|
TokenLength: 0,
|
||||||
|
@ -88,7 +88,8 @@ func (h *RequestHandler) Register(r *router.Router) {
|
||||||
SigningMethod: jwa.SignatureAlgorithm(h.config.JWT.Algorithm),
|
SigningMethod: jwa.SignatureAlgorithm(h.config.JWT.Algorithm),
|
||||||
Skipper: middleware.DefaultSkipper,
|
Skipper: middleware.DefaultSkipper,
|
||||||
SuccessHandler: nil,
|
SuccessHandler: nil,
|
||||||
TokenLookup: middleware.SourceHeader + ":" + http.HeaderAuthorization,
|
TokenLookup: middleware.SourceHeader + ":" + http.HeaderAuthorization +
|
||||||
|
"," + middleware.SourceCookie + ":" + "__Secure-auth-token",
|
||||||
}),
|
}),
|
||||||
middleware.LogFmt(),
|
middleware.LogFmt(),
|
||||||
}
|
}
|
||||||
|
@ -117,6 +118,7 @@ func (h *RequestHandler) handleRender(ctx *http.RequestCtx) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *RequestHandler) handleSend(ctx *http.RequestCtx) {
|
func (h *RequestHandler) handleSend(ctx *http.RequestCtx) {
|
||||||
|
ctx.Response.Header.Set(http.HeaderAccessControlAllowOrigin, h.config.Server.Domain)
|
||||||
ctx.SetContentType(common.MIMEApplicationJSONCharsetUTF8)
|
ctx.SetContentType(common.MIMEApplicationJSONCharsetUTF8)
|
||||||
ctx.SetStatusCode(http.StatusOK)
|
ctx.SetStatusCode(http.StatusOK)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue