forked from justinas/nosurf
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: add disable * ci: run on ubuntu latest
- Loading branch information
Showing
5 changed files
with
129 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| package nosurf | ||
|
|
||
| import "net/http" | ||
|
|
||
| type Handler interface { | ||
| http.Handler | ||
| // RegenerateToken regenerates a CSRF token and sets the cookie. | ||
| RegenerateToken(w http.ResponseWriter, r *http.Request) string | ||
|
|
||
| // ExemptPath will not require CSRF validation but will still set the | ||
| // cookie if it has not yet been set. | ||
| ExemptPath(string) | ||
|
|
||
| // IgnorePath will not require CSRF validation and also not set the CSRF | ||
| // cookie, but it will set the CSRF token (if available) in the request context. | ||
| IgnorePath(string) | ||
|
|
||
| // IgnoreGlob behaves similar to IgnorePath but allows defining a glob. | ||
| IgnoreGlob(string) | ||
|
|
||
| // IgnoreGlobs behaves similar to IgnorePath but allows defining globs. | ||
| IgnoreGlobs(...string) | ||
|
|
||
| // DisablePath will not require CSRF validation and also not set the CSRF | ||
| // cookie, and it will also not set the CSRF token in the request context. | ||
| DisablePath(string) | ||
|
|
||
| // DisableGlob behaves similar to DisablePath but allows defining a glob. | ||
| DisableGlob(string) | ||
|
|
||
| // DisableGlobs behaves similar to DisablePath but allows defining globs. | ||
| DisableGlobs(...string) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| package nosurf | ||
|
|
||
| import ( | ||
| "net/http" | ||
| pathModule "path" | ||
| ) | ||
|
|
||
| // Disables the CSRF middleware for an exact path | ||
| // With this you should take note that Go's paths | ||
| // include a leading slash. | ||
| func (h *CSRFHandler) DisablePath(path string) { | ||
| h.disablePaths = append(h.disablePaths, path) | ||
| } | ||
|
|
||
| // Checks if the given request disables this middleware | ||
| func (h *CSRFHandler) IsDisabled(r *http.Request) bool { | ||
| path := r.URL.Path | ||
| if sContains(h.disablePaths, path) { | ||
| return true | ||
| } | ||
|
|
||
| // then the globs | ||
| for _, glob := range h.disableGlobs { | ||
| matched, err := pathModule.Match(glob, path) | ||
| if matched && err == nil { | ||
| return true | ||
| } | ||
| } | ||
|
|
||
| return false | ||
| } | ||
|
|
||
| func (h *CSRFHandler) DisableGlob(pattern string) { | ||
| h.disableGlobs = append(h.disableGlobs, pattern) | ||
| } | ||
|
|
||
| func (h *CSRFHandler) DisableGlobs(patterns ...string) { | ||
| h.disableGlobs = append(h.disableGlobs, patterns...) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| package nosurf | ||
|
|
||
| import ( | ||
| "net/http" | ||
| "testing" | ||
| ) | ||
|
|
||
| func TestDisablePath(t *testing.T) { | ||
| // the handler doesn't matter here, let's use nil | ||
| hand := New(nil) | ||
| path := "/home" | ||
| exempt, _ := http.NewRequest("GET", path, nil) | ||
|
|
||
| hand.DisablePath(path) | ||
| if !hand.IsDisabled(exempt) { | ||
| t.Errorf("%v is not exempt, but it should be", exempt.URL.Path) | ||
| } | ||
|
|
||
| other, _ := http.NewRequest("GET", "/faq", nil) | ||
| if hand.IsDisabled(other) { | ||
| t.Errorf("%v is exempt, but it shouldn't be", other.URL.Path) | ||
| } | ||
| } | ||
|
|
||
| func TestDisableGlob(t *testing.T) { | ||
| hand := New(nil) | ||
| glob := "/nail/*" | ||
|
|
||
| hand.DisableGlob(glob) | ||
|
|
||
| test, _ := http.NewRequest("GET", "/nail/foo", nil) | ||
| if !hand.IsDisabled(test) { | ||
| t.Errorf("%v should be exempt, but it isn't.", test) | ||
| } | ||
|
|
||
| test, _ = http.NewRequest("GET", "/nail/foo/bar", nil) | ||
| if hand.IsDisabled(test) { | ||
| t.Errorf("%v should not be exempt, but it is.", test) | ||
| } | ||
|
|
||
| test, _ = http.NewRequest("GET", "/not-nail/foo", nil) | ||
| if hand.IsDisabled(test) { | ||
| t.Errorf("%v should not be exempt, but it is.", test) | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters