Back to godoc.org

Package xsrf

v0.0.0-...-1557bcf
Latest Go to latest

The latest major version is .

Published: Aug 13, 2020 | License: Apache-2.0 | Module: github.com/luci/luci-go

Overview

Package xsrf provides Cross Site Request Forgery prevention middleware.

Usage:

1. When serving GET request put hidden "xsrf_token" input field with
   the token value into the form. Use TokenField(...) to generate it.
2. Wrap POST-handling route with WithTokenCheck(...) middleware.

Index

func Check

func Check(c context.Context, tok string) error

Check returns nil if XSRF token is valid.

func Token

func Token(c context.Context) (string, error)

Token generates new XSRF token bound to the current caller.

The token is URL safe base64 encoded string. It lives for 4 hours and may potentially be used multiple times (i.e. the token is stateless).

Put it in hidden form field under the name of "xsrf_token", e.g. <input type="hidden" name="xsrf_token" value="{{.XsrfToken}}">.

Later WithTokenCheck will grab it from there and verify its validity.

func TokenField

func TokenField(c context.Context) template.HTML

TokenField generates "<input type="hidden" ...>" field with the token.

It can be put into HTML forms directly. Panics on errors.

func WithTokenCheck

func WithTokenCheck(c *router.Context, next router.Handler)

WithTokenCheck is middleware that checks validity of XSRF tokens.

If searches for the token in "xsrf_token" POST form field (as generated by TokenField). Aborts the request with HTTP 403 if XSRF token is missing or invalid.

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier