Add csrf protection functions

2022-11-14 12:03:51 -06:00 · 2022-11-14 12:03:51 -06:00 · 58af44bdd6
commit 58af44bdd6
parent 35f7cb7601
1 changed files with 60 additions and 0 deletions
--- a/security/csrf.go
+++ b/security/csrf.go
@ -0,0 +1,60 @@
+package security
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"log"
+	"math"
+	"net/http"
+	"time"
+)
+
+// GenerateCsrfToken generates a csrf token and assigns it to a cookie for double submit cookie csrf protection
+func GenerateCsrfToken(w http.ResponseWriter, r *http.Request) (string, error) {
+	// Generate random 64 character string (alpha-numeric)
+	buff := make([]byte, int(math.Ceil(float64(64)/2)))
+	_, err := rand.Read(buff)
+	if err != nil {
+		log.Println("Error creating random buffer for token value")
+		log.Println(err)
+		return "", err
+	}
+	str := hex.EncodeToString(buff)
+	token := str[:64]
+
+	// Create session cookie, containing token
+	cookie := &http.Cookie{
+		Name:     "csrf",
+		Value:    token,
+		Path:     "/",
+		MaxAge:   1800,
+		Expires:  time.Now().Add(24 * time.Hour),
+		HttpOnly: true,
+		Secure:   true,
+	}
+
+	http.SetCookie(w, cookie)
+
+	return token, nil
+}
+
+// VerifyCsrfToken verifies the csrf token
+func VerifyCsrfToken(r *http.Request) (bool, error) {
+	// Get csrf cookie
+	cookie, err := r.Cookie("csrf")
+	if err != nil {
+		log.Println("Error getting csrf cookie")
+		log.Println(err)
+		return false, err
+	}
+
+	// Get csrf token from form
+	token := r.FormValue("csrf")
+
+	// Compare csrf cookie and csrf token
+	if cookie.Value == token {
+		return true, nil
+	}
+
+	return false, nil
+}