auth
auth/config.go
Enable CSRF protection, add expiration to sessions. Sessions gain a CSRF token, which is passed as a parameter to the login page. The login page now checks for that CSRF token, and logs a CSRF attempt if the token does not match. I also added an expiration to sessions, so they don't last forever. Sessions should be pretty short--we just need to stay logged in for long enough to approve the OAuth request. Everything after that should be cookie based. Finally, I added a configuration parameter to control whether the session cookie should be set to Secure, requiring the use of HTTPS. For production use, this flag is a requirement, but it makes testing extremely difficult, so we need a way to disable it.
1.1 --- a/config.go Sat Jan 24 10:34:33 2015 -0500 1.2 +++ b/config.go Wed Jan 28 07:27:32 2015 -0500 1.3 @@ -24,6 +24,7 @@ 1.4 Template *template.Template 1.5 LoginURI string 1.6 iterations int 1.7 + secureCookie bool 1.8 } 1.9 1.10 // Init is a function that preps the Config object to be used for Context creation, setting variables