fixed csrf
This commit is contained in:
@@ -7,17 +7,15 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
)
|
)
|
||||||
|
|
||||||
func accessLog(w http.ResponseWriter, r *http.Request, user *string, actType int, fieldUpdated interface{}) {
|
func accessLog(r *http.Request, user *string, actType int, fieldUpdated interface{}) error {
|
||||||
email, err := helper.ExtractEmailFromToken(r.Header.Get(Authorization))
|
email, err := helper.ExtractEmailFromToken(r.Header.Get(Authorization))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
helper.RespondWithError(w, http.StatusUnauthorized, UnauthorizedAccess)
|
return fmt.Errorf("%s", UnauthorizedAccess)
|
||||||
return
|
|
||||||
}
|
}
|
||||||
userID, err := services.GetUserIDFromEmail(email)
|
userID, err := services.GetUserIDFromEmail(email)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
helper.LogError(err, ErrorExtractingMailFromToken)
|
helper.LogError(err, ErrorExtractingMailFromToken)
|
||||||
helper.RespondWithError(w, http.StatusBadRequest, ErrorExtractingMailFromToken)
|
return fmt.Errorf("%s", ErrorExtractingMailFromToken)
|
||||||
return
|
|
||||||
}
|
}
|
||||||
ipAddress := getIPAddress(r)
|
ipAddress := getIPAddress(r)
|
||||||
err = helper.LogEvent(userID, user, ipAddress, actType, fieldUpdated)
|
err = helper.LogEvent(userID, user, ipAddress, actType, fieldUpdated)
|
||||||
@@ -26,7 +24,8 @@ func accessLog(w http.ResponseWriter, r *http.Request, user *string, actType int
|
|||||||
if err == nil {
|
if err == nil {
|
||||||
errMsg = "Perform Action"
|
errMsg = "Perform Action"
|
||||||
}
|
}
|
||||||
helper.RespondWithError(w, http.StatusInternalServerError, fmt.Sprintf("Failed to %s", errMsg))
|
return fmt.Errorf("Failed to %s", errMsg)
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -633,7 +633,9 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) {
|
|||||||
helper.LogError(err, "Failed to parse JWT token during logout")
|
helper.LogError(err, "Failed to parse JWT token during logout")
|
||||||
}
|
}
|
||||||
|
|
||||||
accessLog(w, r, nil, 18, nil)
|
if err := accessLog(r, nil, 18, nil); err != nil {
|
||||||
|
helper.LogError(err, "Failed to write access log during logout")
|
||||||
|
}
|
||||||
|
|
||||||
clearRefreshTokenCookie(w)
|
clearRefreshTokenCookie(w)
|
||||||
|
|
||||||
|
|||||||
@@ -6,6 +6,8 @@ import (
|
|||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
@@ -80,6 +82,7 @@ func CSRFMiddleware(next http.Handler) http.Handler {
|
|||||||
})
|
})
|
||||||
|
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
log.Print("Request headers: ", r.Header)
|
||||||
if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
|
if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
|
||||||
// For GET requests, generate and set a new CSRF token
|
// For GET requests, generate and set a new CSRF token
|
||||||
token, err := generateCSRFToken()
|
token, err := generateCSRFToken()
|
||||||
@@ -113,6 +116,12 @@ func CSRFMiddleware(next http.Handler) http.Handler {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if strings.Contains(tokenFromHeader, "%") {
|
||||||
|
if decoded, err := url.QueryUnescape(tokenFromHeader); err == nil {
|
||||||
|
tokenFromHeader = decoded
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !validateToken(tokenFromHeader) {
|
if !validateToken(tokenFromHeader) {
|
||||||
helper.RespondWithError(w, http.StatusForbidden, "Invalid or expired CSRF token")
|
helper.RespondWithError(w, http.StatusForbidden, "Invalid or expired CSRF token")
|
||||||
return
|
return
|
||||||
|
|||||||
Reference in New Issue
Block a user