auth
17:1f04b1146cad Browse Files
Implement CSRF prevention and pass info to confirmation. Implement CSRF prevention using the nosurf package. Note that the handler still needs to be wrapped before this will work. Pass info on the authorization being requested (namely the client and the scope) to the RenderConfirmation page so that the user can make an educated decision.
1.1 --- a/authorize.go Sat Aug 16 06:18:09 2014 -0400 1.2 +++ b/authorize.go Sat Aug 16 18:05:10 2014 -0400 1.3 @@ -140,7 +140,7 @@ 1.4 func (req AuthRequest) handleCodeRequest(w http.ResponseWriter, r *http.Request, ctx Context) { 1.5 1.6 if r.Method == "GET" { 1.7 - ctx.RenderConfirmation(w) 1.8 + ctx.RenderConfirmation(w, r, req) 1.9 return 1.10 } else if r.Method != "POST" { 1.11 ctx.RenderError(w, InvalidMethodError) 1.12 @@ -148,7 +148,7 @@ 1.13 } 1.14 1.15 if err := validateSession(r, ctx); err == ErrorNotAuthenticated { 1.16 - ctx.RenderLogin(w) 1.17 + ctx.RenderLogin(w, r) 1.18 return 1.19 } else if err != nil { 1.20 ctx.RenderError(w, err) 1.21 @@ -193,7 +193,7 @@ 1.22 func (req AuthRequest) handleTokenRequest(w http.ResponseWriter, r *http.Request, ctx Context) { 1.23 1.24 if r.Method == "GET" { 1.25 - ctx.RenderConfirmation(w) 1.26 + ctx.RenderConfirmation(w, r, req) 1.27 return 1.28 } else if r.Method != "POST" { 1.29 ctx.RenderError(w, InvalidMethodError) 1.30 @@ -201,7 +201,7 @@ 1.31 } 1.32 1.33 if err := validateSession(r, ctx); err == ErrorNotAuthenticated { 1.34 - ctx.RenderLogin(w) 1.35 + ctx.RenderLogin(w, r) 1.36 return 1.37 } else if err != nil { 1.38 ctx.RenderError(w, err)
2.1 --- a/context.go Sat Aug 16 06:18:09 2014 -0400 2.2 +++ b/context.go Sat Aug 16 18:05:10 2014 -0400 2.3 @@ -5,6 +5,9 @@ 2.4 "html/template" 2.5 "io" 2.6 "log" 2.7 + "net/http" 2.8 + 2.9 + "github.com/justinas/nosurf" 2.10 ) 2.11 2.12 type Context struct { 2.13 @@ -60,26 +63,30 @@ 2.14 } 2.15 } 2.16 2.17 -func (c Context) RenderConfirmation(w io.Writer) { 2.18 +func (c Context) RenderConfirmation(w io.Writer, r *http.Request, req AuthRequest) { 2.19 if c.Templates.Confirmation == nil { 2.20 log.Println("Confirmation template is nil, can't render confirmation.") 2.21 return 2.22 } 2.23 - // TODO: CSRF prevention 2.24 - err := c.Templates.Confirmation.Execute(w, nil) 2.25 + err := c.Templates.Confirmation.Execute(w, map[string]interface{}{ 2.26 + "scope": req.Scope, 2.27 + "client": req.Client, 2.28 + "csrf_token": nosurf.Token(r), 2.29 + }) 2.30 if err != nil { 2.31 log.Printf("Error executing confirmation template: %s\n", err) 2.32 return 2.33 } 2.34 } 2.35 2.36 -func (c Context) RenderLogin(w io.Writer) { 2.37 +func (c Context) RenderLogin(w io.Writer, r *http.Request) { 2.38 if c.Templates.Login == nil { 2.39 log.Println("Login template is nil, can't render confirmation.") 2.40 return 2.41 } 2.42 - // TODO: CSRF prevention 2.43 - err := c.Templates.Login.Execute(w, nil) 2.44 + err := c.Templates.Login.Execute(w, map[string]interface{}{ 2.45 + "csrf_token": nosurf.Token(r), 2.46 + }) 2.47 if err != nil { 2.48 log.Printf("Error executing login template: %s\n", err) 2.49 return