Comments (5)
dre1080
commented on July 17, 2024
Hey @elithrar,
Wouldn't be using nosurf be much easier for CSRF?
from goji.
zenazn
commented on July 17, 2024
The way I did this last time is something like this:
type Params struct {
foo int
}
type myMiddleware struct {
h http.Handler
c *web.C
p Params
}
func (m myMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// ...
m.h.ServeHTTP(w, r)
// ...
}
func MyMiddleware(p Params) func(*web.C, http.Handler) http.Handler {
return func(c *web.C, h http.Handler) {
return myMiddleware{h, c, p}
}
}
// You can store this in a variable if you want to reference it again
goji.Use(MyMiddleware(Params{
foo: 4,
}))The way you're doing it would work as well. I haven't given much thought to which I prefer, but I think the way I wrote above probably will result in one fewer helper struct.
As for wrapping Gorilla, I've found that Gorilla does some... questionable things with global maps, which tends to result in unnecessary lock contention and (more importantly) the tendency to leak memory unless you're careful. I haven't looked very hard at nosurf, but it should be trivial to drop in to Goji and probably doesn't do quite as much spooky action at a distance as Gorilla.
from goji.
elithrar
commented on July 17, 2024
@zenazn Thanks for the example code. Extending/wrapping http.Handler is actually something I didn't think of at first, and it does look a bit cleaner. I'm definitely aware of the need to call context.ClearHandler(myHandler) to avoid any leaks from gorilla (I know that's a gotcha when not using gorilla/mux alongside), but beyond that I plan to use goji's own request context to pass the token to the wrapped handler and avoid Gorilla's there. nosurf still uses a global context map anyway so I'm not sure it provides any distinct benefits on that front.
@dre1080 @zenazn I like nosurf, but you're also entirely tied to a cookie-based session store. Being able to use server-side sessions (particularly if you are already) is a nice win for security, and you also avoid the 4K limit on session size that browsers enforce on cookies. I'm also not quite sure nosurf's cookie contents are encrypted (as gorilla/sessions allows) from looking through the source, although if you're dealing with any POST data over vanilla HTTP that's your second problem ;)
I'm happy to take advice otherwise, but I think there's some value in providing some Goji-centric anti CSRF middleware.
from goji.
zenazn
commented on July 17, 2024
RE: nosurf's global map: oh dear.
Anyways, you seem to know what you're doing so I'll stop bothering you with my unfounded opinions :)
from goji.
elithrar
commented on July 17, 2024
Closing this specific one out - but am still working on the CSRF & sessions middleware when I can find some spare time.
from goji.
Related Issues (20)
- Use different middleware for different routes with App Engine HOT 2
- Data race when goroutines using context.Context outlive the http request HOT 2
- TLS from http.Request is nil HOT 8
- Post method with multipart/form-data encoding not work HOT 3
- returned 404 error when load js file HOT 1
- Document zenazn/goji vs goji/goji HOT 1
- wrapping HandlerType HOT 4
- Question: how to set timeout on HTTP requests HOT 8
- goji routing with react-router HOT 5
- Headers matching HOT 4
- Update ReadMe HOT 1
- Question: per-endpoint middleware HOT 5
- Does Goji 2 have Einhorn support? HOT 1
- How to use goji.ServeTLS() HOT 1
- How do I can change a variable with go command line? HOT 1
- SubRouter unexpected 404 HOT 4
- tag "v1.0" is a invalid module version HOT 5
- func Serve() have no options to disable log rquest HOT 1
- TLS context is not added to request HOT 2
- zenazn/goji or goji/goji ? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from goji.