117 lines
3.2 KiB
Go
117 lines
3.2 KiB
Go
package middlewares
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"GoMembership/internal/config"
|
|
"GoMembership/internal/server"
|
|
"GoMembership/internal/utils"
|
|
"GoMembership/pkg/logger"
|
|
)
|
|
|
|
// GenerateCSRFToken generates HMAC-signed CSRF token
|
|
func GenerateCSRFToken(sessionID string, secretKey string) string {
|
|
// Create message to be signed (e.g., combining sessionID with some random value)
|
|
randomString, err := utils.GenerateRandomString(8)
|
|
if err != nil {
|
|
logger.Error.Fatalf("Could not create random string: %v", err)
|
|
return ""
|
|
}
|
|
|
|
message := sessionID + "!" + randomString
|
|
|
|
// Create HMAC hash using SHA-256
|
|
h := hmac.New(sha256.New, []byte(secretKey))
|
|
h.Write([]byte(message))
|
|
signature := h.Sum(nil)
|
|
|
|
// Encode signature and message into a CSRF token
|
|
csrfToken := base64.StdEncoding.EncodeToString(signature) + "." + message
|
|
return csrfToken
|
|
}
|
|
|
|
func ComputeHMAC(message string, secretKey string) []byte {
|
|
h := hmac.New(sha256.New, []byte(secretKey))
|
|
h.Write([]byte(message))
|
|
return h.Sum(nil)
|
|
}
|
|
|
|
// CSRFMiddleware verifies HMAC-signed CSRF token
|
|
func CSRFMiddleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(
|
|
func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
csrfSecret := config.Auth.CSRFSecret
|
|
// Retrieve CSRF token from request (e.g., from cookie, header, or form data)
|
|
csrfToken := r.Header.Get("X-CSRF-Token")
|
|
|
|
// Extract signature and message from CSRF token
|
|
parts := strings.SplitN(csrfToken, ".", 2)
|
|
if len(parts) != 2 {
|
|
http.Error(w, "Invalid CSRF token", http.StatusForbidden)
|
|
return
|
|
}
|
|
receivedSignature := parts[0]
|
|
receivedMessage := parts[1]
|
|
|
|
// Compute HMAC using the received message and the CSRF secret key
|
|
computedSignature := ComputeHMAC(receivedMessage, csrfSecret)
|
|
|
|
// Compare computed HMAC with received signature
|
|
if !hmac.Equal([]byte(receivedSignature), computedSignature) {
|
|
http.Error(w, "CSRF Token validation failed", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// CSRF token is valid, proceed to the next handler
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func GenerateCSRFTokenHandler(w http.ResponseWriter, r *http.Request) {
|
|
// Simulate getting session ID from authenticated session
|
|
sessionID := "exampleSessionID123"
|
|
|
|
// Generate HMAC-signed CSRF token
|
|
csrfToken := GenerateCSRFToken(sessionID, config.Auth.CSRFSecret)
|
|
|
|
// Set CSRF token in a cookie (example)
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "csrf_token",
|
|
Value: csrfToken,
|
|
Path: "/",
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
})
|
|
}
|
|
|
|
/* func GenerateCSRFTokenHandler() http.Handler {
|
|
return http.HandlerFunc(
|
|
func(w http.ResponseWriter, r *http.Request) {
|
|
token, err := GenerateCSRFToken()
|
|
if err != nil {
|
|
http.Error(w, "Could not generate CSRF token", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Set CSRF token in cookie
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "csrf_token",
|
|
Value: token,
|
|
Path: "/",
|
|
})
|
|
|
|
logger.Info.Printf("generated token: %v", token)
|
|
// Return CSRF token in response
|
|
w.Header().Set("X-CSRF-Token", token)
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
} */
|