Use ungrouped CSRF middleware on register and login POST routes

Initial middleware implementation for CSRF and update comment
Initial wrapper implementation
2023-07-21 11:59:55 -05:00 · 2023-07-21 11:59:01 -05:00 · 2023-07-07 18:05:17 -05:00 · 2023-05-05 12:19:17 -05:00 · 2023-05-04 09:00:35 -05:00 · 2023-04-07 21:32:39 -05:00
8 changed files with 49 additions and 25 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
 * text=auto eol=lf
--- a/README.md
+++ b/README.md
@ -15,6 +15,7 @@ fine with getting your hands dirty, but I plan on having it ready to go for more
 - CSRF protection
 - Minimal user login/registration + sessions
 - Config file handling
 - Scheduled tasks
 - Entire website compiles into a single binary (~10mb) (excluding env.json)
 - Minimal dependencies (just standard library, postgres driver, and experimental package for bcrypt)
--- a/controllers/postController.go
+++ b/controllers/postController.go
@ -3,7 +3,6 @@ package controllers
 import (
 	"GoWeb/app"
 	"GoWeb/models"
 	"GoWeb/security"
 	"log"
 	"net/http"
 	"time"
@ -15,13 +14,6 @@ type PostController struct {
 }
 func (postController *PostController) Login(w http.ResponseWriter, r *http.Request) {
 	// Validate csrf token
 	_, err := security.VerifyCsrfToken(r)
 	if err != nil {
 		log.Println("Error verifying csrf token")
 		return
 	}
 	username := r.FormValue("username")
 	password := r.FormValue("password")
 	remember := r.FormValue("remember") == "on"
@ -31,7 +23,7 @@ func (postController *PostController) Login(w http.ResponseWriter, r *http.Reque
 		http.Redirect(w, r, "/login", http.StatusFound)
 	}
-	_, err = models.AuthenticateUser(postController.App, w, username, password, remember)
+	_, err := models.AuthenticateUser(postController.App, w, username, password, remember)
 	if err != nil {
 		log.Println("Error authenticating user")
 		log.Println(err)
@ -43,13 +35,6 @@ func (postController *PostController) Login(w http.ResponseWriter, r *http.Reque
 }
 func (postController *PostController) Register(w http.ResponseWriter, r *http.Request) {
 	// Validate csrf token
 	_, err := security.VerifyCsrfToken(r)
 	if err != nil {
 		log.Println("Error verifying csrf token")
 		return
 	}
 	username := r.FormValue("username")
 	password := r.FormValue("password")
 	createdAt := time.Now()
@ -60,7 +45,7 @@ func (postController *PostController) Register(w http.ResponseWriter, r *http.Re
 		http.Redirect(w, r, "/register", http.StatusFound)
 	}
-	_, err = models.CreateUser(postController.App, username, password, createdAt, updatedAt)
+	_, err := models.CreateUser(postController.App, username, password, createdAt, updatedAt)
 	if err != nil {
 		log.Println("Error creating user")
 		log.Println(err)
--- a/go.mod
+++ b/go.mod
@ -3,6 +3,6 @@ module GoWeb
 go 1.20
 require (
-	github.com/lib/pq v1.10.7
+	github.com/lib/pq v1.10.9
-	golang.org/x/crypto v0.7.0
+	golang.org/x/crypto v0.8.0
 )
--- a/go.sum
+++ b/go.sum
@ -1,4 +1,4 @@
-github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
--- a/middleware/csrf.go
+++ b/middleware/csrf.go
@ -0,0 +1,22 @@
 package middleware
 import (
 	"GoWeb/security"
 	"log"
 	"net/http"
 )
 // CsrfMiddleware validates the CSRF token and returns the handler function if it succeded
 func CsrfMiddleware(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Verify csrf token
 		_, err := security.VerifyCsrfToken(r)
 		if err != nil {
 			log.Println("Error verifying csrf token")
 			http.Error(w, "Forbidden", http.StatusForbidden)
 			return
 		}
 		f(w, r)
 	}
 }
--- a/middleware/wrapper.go
+++ b/middleware/wrapper.go
@ -0,0 +1,14 @@
 package middleware
 import "net/http"
 // ProcessMiddleware is a wrapper function for the http.HandleFunc function
 // that takes the function you want to execute (f) and the middleware you want
 // to execute (m) this should be used when processing multiple groups of middleware at a time
 func ProcessMiddleware(f func(w http.ResponseWriter, r *http.Request), m []func()) func(w http.ResponseWriter, r *http.Request) {
 	for _, middleware := range m {
 		middleware()
 	}
 	return f
 }
--- a/routes/postRoutes.go
+++ b/routes/postRoutes.go
@ -3,6 +3,7 @@ package routes
 import (
 	"GoWeb/app"
 	"GoWeb/controllers"
 	"GoWeb/middleware"
 	"net/http"
 )
@ -14,6 +15,6 @@ func PostRoutes(app *app.App) {
 	}
 	// User authentication
-	http.HandleFunc("/register-handle", postController.Register)
+	http.HandleFunc("/register-handle", middleware.CsrfMiddleware(postController.Register))
-	http.HandleFunc("/login-handle", postController.Login)
+	http.HandleFunc("/login-handle", middleware.CsrfMiddleware(postController.Login))
 }
Author	SHA1	Message	Date
Maximilian	bada24884a	Use ungrouped CSRF middleware on register and login POST routes	2023-07-21 11:59:55 -05:00
Maximilian	05397c2b61	Initial middleware implementation for CSRF and update comment	2023-07-21 11:59:01 -05:00
Maximilian	3d80b95f55	Initial wrapper implementation	2023-07-07 18:05:17 -05:00
Maximilian	6da7d408f9	Add .gitattributes to force LF line endings	2023-05-05 12:19:17 -05:00
max	e993bcf317	Update dependency versions	2023-05-04 09:00:35 -05:00
Maximilian	9b231a73d6	Update README.md	2023-04-07 21:32:39 -05:00