csrf

The csrf middleware generates and validates CSRF tokens for Flame instances, it relies on the session middleware.

You can read source code of this middleware on GitHubcsrf - 图1open in new window and API documentation on pkg.go.devcsrf - 图2open in new window.

Installation

The minimum requirement of Go is 1.16.

  1. go get github.com/flamego/csrf

Usage examples

WARNING

Examples included in this section is to demonstrate the usage of the csrf middleware, by no means illustrates the idiomatic or even correct way of doing user authentication.

The csrf.Csrfercsrf - 图3open in new window works out-of-the-box with an optional csrf.Optionscsrf - 图4open in new window, and the csrf.Validatecsrf - 图5open in new window should be used to guard routes that needs CSRF validation:

  • main.go
  • templates/protected.tmpl
  1. package main
  3. import (
  4.     "net/http"
  6.     "github.com/flamego/csrf"
  7.     "github.com/flamego/flamego"
  8.     "github.com/flamego/session"
  9.     "github.com/flamego/template"
  10. )
  12. func main() {
  13.     f := flamego.Classic()
  14.     f.Use(template.Templater())
  15.     f.Use(session.Sessioner())
  16.     f.Use(csrf.Csrfer())
  18.     // Simulate the authentication of a session. If the "userID" exists,
  19.     // then redirect to a form that requires CSRF protection.
  20.     f.Get("/", func(c flamego.Context, s session.Session) {
  21.         if s.Get("userID") == nil {
  22.             c.Redirect("/login")
  23.             return
  24.         }
  25.         c.Redirect("/protected")
  26.     })
  28.     // Set uid for the session
  29.     f.Get("/login", func(c flamego.Context, s session.Session) {
  30.         s.Set("userID", 123)
  31.         c.Redirect("/")
  32.     })
  34.     // Render a protected form by passing a CSRF token using x.Token()
  35.     f.Get("/protected", func(c flamego.Context, s session.Session, x csrf.CSRF, t template.Template, data template.Data) {
  36.         if s.Get("userID") == nil {
  37.             c.Redirect("/login", http.StatusUnauthorized)
  38.             return
  39.         }
  41.         // Pass token to the protected template
  42.         data["CSRFToken"] = x.Token()
  43.         t.HTML(http.StatusOK, "protected")
  44.     })
  46.     // Apply CSRF validation to route
  47.     f.Post("/protected", csrf.Validate, func(c flamego.Context, s session.Session, t template.Template) {
  48.         if s.Get("userID") != nil {
  49.             c.ResponseWriter().Write([]byte("You submitted with a valid CSRF token"))
  50.             return
  51.         }
  52.         c.Redirect("/login", http.StatusUnauthorized)
  53.     })
  55.     f.Run()
  56. }
  1. <form action="/protected" method="POST">
  2.   <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
  3.   <button>Submit</button>
  4. </form>