1
0
mirror of https://github.com/astaxie/beego.git synced 2024-12-22 23:50:49 +00:00
move XsrfToken& CheckXsrfCookie to context
This commit is contained in:
astaxie 2014-07-24 23:12:21 +08:00
parent d7090689e8
commit ee9749d640
2 changed files with 41 additions and 25 deletions

View File

@ -20,6 +20,7 @@ import (
"time"
"github.com/astaxie/beego/middleware"
"github.com/astaxie/beego/utils"
)
// Http request context struct including BeegoInput, BeegoOutput, http.Request and http.ResponseWriter.
@ -29,6 +30,7 @@ type Context struct {
Output *BeegoOutput
Request *http.Request
ResponseWriter http.ResponseWriter
_xsrf_token string
}
// Redirect does redirection to localurl with http header status code.
@ -113,3 +115,35 @@ func (ctx *Context) SetSecureCookie(Secret, name, value string, others ...interf
cookie := strings.Join([]string{vs, timestamp, sig}, "|")
ctx.Output.Cookie(name, cookie, others...)
}
// XsrfToken creates a xsrf token string and returns.
func (ctx *Context) XsrfToken(key string, expire int64) string {
if ctx._xsrf_token == "" {
token, ok := ctx.GetSecureCookie(key, "_xsrf")
if !ok {
token = string(utils.RandomCreateBytes(32))
ctx.SetSecureCookie(key, "_xsrf", token, expire)
}
ctx._xsrf_token = token
}
return ctx._xsrf_token
}
// CheckXsrfCookie checks xsrf token in this request is valid or not.
// the token can provided in request header "X-Xsrftoken" and "X-CsrfToken"
// or in form field value named as "_xsrf".
func (ctx *Context) CheckXsrfCookie() bool {
token := ctx.Input.Query("_xsrf")
if token == "" {
token = ctx.Request.Header.Get("X-Xsrftoken")
}
if token == "" {
token = ctx.Request.Header.Get("X-Csrftoken")
}
if token == "" {
ctx.Abort(403, "'_xsrf' argument missing from POST")
} else if ctx._xsrf_token != token {
ctx.Abort(403, "XSRF cookie does not match POST argument")
}
return true
}

View File

@ -25,7 +25,6 @@ import (
"github.com/astaxie/beego/context"
"github.com/astaxie/beego/session"
"github.com/astaxie/beego/utils"
)
//commonly used mime-types
@ -477,18 +476,13 @@ func (c *Controller) SetSecureCookie(Secret, name, value string, others ...inter
// XsrfToken creates a xsrf token string and returns.
func (c *Controller) XsrfToken() string {
if c._xsrf_token == "" {
token, ok := c.GetSecureCookie(XSRFKEY, "_xsrf")
if !ok {
var expire int64
if c.XSRFExpire > 0 {
expire = int64(c.XSRFExpire)
} else {
expire = int64(XSRFExpire)
}
token = string(utils.RandomCreateBytes(32))
c.SetSecureCookie(XSRFKEY, "_xsrf", token, expire)
var expire int64
if c.XSRFExpire > 0 {
expire = int64(c.XSRFExpire)
} else {
expire = int64(XSRFExpire)
}
c._xsrf_token = token
c._xsrf_token = c.Ctx.XsrfToken(XSRFKEY, expire)
}
return c._xsrf_token
}
@ -500,19 +494,7 @@ func (c *Controller) CheckXsrfCookie() bool {
if !c.EnableXSRF {
return true
}
token := c.GetString("_xsrf")
if token == "" {
token = c.Ctx.Request.Header.Get("X-Xsrftoken")
}
if token == "" {
token = c.Ctx.Request.Header.Get("X-Csrftoken")
}
if token == "" {
c.Ctx.Abort(403, "'_xsrf' argument missing from POST")
} else if c._xsrf_token != token {
c.Ctx.Abort(403, "XSRF cookie does not match POST argument")
}
return true
return c.Ctx.CheckXsrfCookie()
}
// XsrfFormHtml writes an input field contains xsrf token value.