GoWeb/security/csrf.go

package security

import (
	"crypto/rand"
	"encoding/hex"
	"log"
	"math"
	"net/http"
	"time"
)

// GenerateCsrfToken generates a csrf token and assigns it to a cookie for double submit cookie csrf protection
func GenerateCsrfToken(w http.ResponseWriter, r *http.Request) (string, error) {
	// Generate random 64 character string (alpha-numeric)
	buff := make([]byte, int(math.Ceil(float64(64)/2)))
	_, err := rand.Read(buff)
	if err != nil {
		log.Println("Error creating random buffer for token value")
		log.Println(err)
		return "", err
	}
	str := hex.EncodeToString(buff)
	token := str[:64]

	// Create session cookie, containing token
	cookie := &http.Cookie{
		Name:     "csrf",
		Value:    token,
		Path:     "/",
		MaxAge:   1800,
		Expires:  time.Now().Add(24 * time.Hour),
		HttpOnly: true,
		Secure:   true,
	}

	http.SetCookie(w, cookie)

	return token, nil
}

// VerifyCsrfToken verifies the csrf token
func VerifyCsrfToken(r *http.Request) (bool, error) {
	// Get csrf cookie
	cookie, err := r.Cookie("csrf")
	if err != nil {
		log.Println("Error getting csrf cookie")
		log.Println(err)
		return false, err
	}

	// Get csrf token from form
	token := r.FormValue("csrf")

	// Compare csrf cookie and csrf token
	if cookie.Value == token {
		return true, nil
	}

	return false, nil
}
Add csrf protection functions 2022-11-14 18:03:51 +00:00			`package security`

			`import (`
			`"crypto/rand"`
			`"encoding/hex"`
			`"log"`
			`"math"`
			`"net/http"`
			`"time"`
			`)`

			`// GenerateCsrfToken generates a csrf token and assigns it to a cookie for double submit cookie csrf protection`
			`func GenerateCsrfToken(w http.ResponseWriter, r *http.Request) (string, error) {`
			`// Generate random 64 character string (alpha-numeric)`
			`buff := make([]byte, int(math.Ceil(float64(64)/2)))`
			`_, err := rand.Read(buff)`
			`if err != nil {`
			`log.Println("Error creating random buffer for token value")`
			`log.Println(err)`
			`return "", err`
			`}`
			`str := hex.EncodeToString(buff)`
			`token := str[:64]`

			`// Create session cookie, containing token`
			`cookie := &http.Cookie{`
			`Name: "csrf",`
			`Value: token,`
			`Path: "/",`
			`MaxAge: 1800,`
			`Expires: time.Now().Add(24 * time.Hour),`
			`HttpOnly: true,`
			`Secure: true,`
			`}`

			`http.SetCookie(w, cookie)`

			`return token, nil`
			`}`

			`// VerifyCsrfToken verifies the csrf token`
			`func VerifyCsrfToken(r *http.Request) (bool, error) {`
			`// Get csrf cookie`
			`cookie, err := r.Cookie("csrf")`
			`if err != nil {`
			`log.Println("Error getting csrf cookie")`
			`log.Println(err)`
			`return false, err`
			`}`

			`// Get csrf token from form`
			`token := r.FormValue("csrf")`

			`// Compare csrf cookie and csrf token`
			`if cookie.Value == token {`
			`return true, nil`
			`}`

			`return false, nil`
			`}`