mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-24 11:31:54 +01:00
6433ba0ec3
Use [chi](https://github.com/go-chi/chi) instead of the forked [macaron](https://gitea.com/macaron/macaron). Since macaron and chi have conflicts with session share, this big PR becomes a have-to thing. According my previous idea, we can replace macaron step by step but I'm wrong. :( Below is a list of big changes on this PR. - [x] Define `context.ResponseWriter` interface with an implementation `context.Response`. - [x] Use chi instead of macaron, and also a customize `Route` to wrap chi so that the router usage is similar as before. - [x] Create different routers for `web`, `api`, `internal` and `install` so that the codes will be more clear and no magic . - [x] Use https://github.com/unrolled/render instead of macaron's internal render - [x] Use https://github.com/NYTimes/gziphandler instead of https://gitea.com/macaron/gzip - [x] Use https://gitea.com/go-chi/session which is a modified version of https://gitea.com/macaron/session and removed `nodb` support since it will not be maintained. **BREAK** - [x] Use https://gitea.com/go-chi/captcha which is a modified version of https://gitea.com/macaron/captcha - [x] Use https://gitea.com/go-chi/cache which is a modified version of https://gitea.com/macaron/cache - [x] Use https://gitea.com/go-chi/binding which is a modified version of https://gitea.com/macaron/binding - [x] Use https://github.com/go-chi/cors instead of https://gitea.com/macaron/cors - [x] Dropped https://gitea.com/macaron/i18n and make a new one in `code.gitea.io/gitea/modules/translation` - [x] Move validation form structs from `code.gitea.io/gitea/modules/auth` to `code.gitea.io/gitea/modules/forms` to avoid dependency cycle. - [x] Removed macaron log service because it's not need any more. **BREAK** - [x] All form structs have to be get by `web.GetForm(ctx)` in the route function but not as a function parameter on routes definition. - [x] Move Git HTTP protocol implementation to use routers directly. - [x] Fix the problem that chi routes don't support trailing slash but macaron did. - [x] `/api/v1/swagger` now will be redirect to `/api/swagger` but not render directly so that `APIContext` will not create a html render. Notices: - Chi router don't support request with trailing slash - Integration test `TestUserHeatmap` maybe mysql version related. It's failed on my macOS(mysql 5.7.29 installed via brew) but succeed on CI. Co-authored-by: 6543 <6543@obermui.de>
265 lines
7.4 KiB
Go
265 lines
7.4 KiB
Go
// Copyright 2013 Martini Authors
|
|
// Copyright 2014 The Macaron Authors
|
|
// Copyright 2021 The Gitea Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License"): you may
|
|
// not use this file except in compliance with the License. You may obtain
|
|
// a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
// License for the specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
// a middleware that generates and validates CSRF tokens.
|
|
|
|
package context
|
|
|
|
import (
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/unknwon/com"
|
|
)
|
|
|
|
// CSRF represents a CSRF service and is used to get the current token and validate a suspect token.
|
|
type CSRF interface {
|
|
// Return HTTP header to search for token.
|
|
GetHeaderName() string
|
|
// Return form value to search for token.
|
|
GetFormName() string
|
|
// Return cookie name to search for token.
|
|
GetCookieName() string
|
|
// Return cookie path
|
|
GetCookiePath() string
|
|
// Return the flag value used for the csrf token.
|
|
GetCookieHTTPOnly() bool
|
|
// Return the token.
|
|
GetToken() string
|
|
// Validate by token.
|
|
ValidToken(t string) bool
|
|
// Error replies to the request with a custom function when ValidToken fails.
|
|
Error(w http.ResponseWriter)
|
|
}
|
|
|
|
type csrf struct {
|
|
// Header name value for setting and getting csrf token.
|
|
Header string
|
|
// Form name value for setting and getting csrf token.
|
|
Form string
|
|
// Cookie name value for setting and getting csrf token.
|
|
Cookie string
|
|
//Cookie domain
|
|
CookieDomain string
|
|
//Cookie path
|
|
CookiePath string
|
|
// Cookie HttpOnly flag value used for the csrf token.
|
|
CookieHTTPOnly bool
|
|
// Token generated to pass via header, cookie, or hidden form value.
|
|
Token string
|
|
// This value must be unique per user.
|
|
ID string
|
|
// Secret used along with the unique id above to generate the Token.
|
|
Secret string
|
|
// ErrorFunc is the custom function that replies to the request when ValidToken fails.
|
|
ErrorFunc func(w http.ResponseWriter)
|
|
}
|
|
|
|
// GetHeaderName returns the name of the HTTP header for csrf token.
|
|
func (c *csrf) GetHeaderName() string {
|
|
return c.Header
|
|
}
|
|
|
|
// GetFormName returns the name of the form value for csrf token.
|
|
func (c *csrf) GetFormName() string {
|
|
return c.Form
|
|
}
|
|
|
|
// GetCookieName returns the name of the cookie for csrf token.
|
|
func (c *csrf) GetCookieName() string {
|
|
return c.Cookie
|
|
}
|
|
|
|
// GetCookiePath returns the path of the cookie for csrf token.
|
|
func (c *csrf) GetCookiePath() string {
|
|
return c.CookiePath
|
|
}
|
|
|
|
// GetCookieHTTPOnly returns the flag value used for the csrf token.
|
|
func (c *csrf) GetCookieHTTPOnly() bool {
|
|
return c.CookieHTTPOnly
|
|
}
|
|
|
|
// GetToken returns the current token. This is typically used
|
|
// to populate a hidden form in an HTML template.
|
|
func (c *csrf) GetToken() string {
|
|
return c.Token
|
|
}
|
|
|
|
// ValidToken validates the passed token against the existing Secret and ID.
|
|
func (c *csrf) ValidToken(t string) bool {
|
|
return ValidToken(t, c.Secret, c.ID, "POST")
|
|
}
|
|
|
|
// Error replies to the request when ValidToken fails.
|
|
func (c *csrf) Error(w http.ResponseWriter) {
|
|
c.ErrorFunc(w)
|
|
}
|
|
|
|
// CsrfOptions maintains options to manage behavior of Generate.
|
|
type CsrfOptions struct {
|
|
// The global secret value used to generate Tokens.
|
|
Secret string
|
|
// HTTP header used to set and get token.
|
|
Header string
|
|
// Form value used to set and get token.
|
|
Form string
|
|
// Cookie value used to set and get token.
|
|
Cookie string
|
|
// Cookie domain.
|
|
CookieDomain string
|
|
// Cookie path.
|
|
CookiePath string
|
|
CookieHTTPOnly bool
|
|
// SameSite set the cookie SameSite type
|
|
SameSite http.SameSite
|
|
// Key used for getting the unique ID per user.
|
|
SessionKey string
|
|
// oldSessionKey saves old value corresponding to SessionKey.
|
|
oldSessionKey string
|
|
// If true, send token via X-CSRFToken header.
|
|
SetHeader bool
|
|
// If true, send token via _csrf cookie.
|
|
SetCookie bool
|
|
// Set the Secure flag to true on the cookie.
|
|
Secure bool
|
|
// Disallow Origin appear in request header.
|
|
Origin bool
|
|
// The function called when Validate fails.
|
|
ErrorFunc func(w http.ResponseWriter)
|
|
// Cookie life time. Default is 0
|
|
CookieLifeTime int
|
|
}
|
|
|
|
func prepareOptions(options []CsrfOptions) CsrfOptions {
|
|
var opt CsrfOptions
|
|
if len(options) > 0 {
|
|
opt = options[0]
|
|
}
|
|
|
|
// Defaults.
|
|
if len(opt.Secret) == 0 {
|
|
opt.Secret = string(com.RandomCreateBytes(10))
|
|
}
|
|
if len(opt.Header) == 0 {
|
|
opt.Header = "X-CSRFToken"
|
|
}
|
|
if len(opt.Form) == 0 {
|
|
opt.Form = "_csrf"
|
|
}
|
|
if len(opt.Cookie) == 0 {
|
|
opt.Cookie = "_csrf"
|
|
}
|
|
if len(opt.CookiePath) == 0 {
|
|
opt.CookiePath = "/"
|
|
}
|
|
if len(opt.SessionKey) == 0 {
|
|
opt.SessionKey = "uid"
|
|
}
|
|
opt.oldSessionKey = "_old_" + opt.SessionKey
|
|
if opt.ErrorFunc == nil {
|
|
opt.ErrorFunc = func(w http.ResponseWriter) {
|
|
http.Error(w, "Invalid csrf token.", http.StatusBadRequest)
|
|
}
|
|
}
|
|
|
|
return opt
|
|
}
|
|
|
|
// Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token.
|
|
// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.
|
|
func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
|
|
opt = prepareOptions([]CsrfOptions{opt})
|
|
x := &csrf{
|
|
Secret: opt.Secret,
|
|
Header: opt.Header,
|
|
Form: opt.Form,
|
|
Cookie: opt.Cookie,
|
|
CookieDomain: opt.CookieDomain,
|
|
CookiePath: opt.CookiePath,
|
|
CookieHTTPOnly: opt.CookieHTTPOnly,
|
|
ErrorFunc: opt.ErrorFunc,
|
|
}
|
|
|
|
if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {
|
|
return x
|
|
}
|
|
|
|
x.ID = "0"
|
|
uid := ctx.Session.Get(opt.SessionKey)
|
|
if uid != nil {
|
|
x.ID = com.ToStr(uid)
|
|
}
|
|
|
|
needsNew := false
|
|
oldUID := ctx.Session.Get(opt.oldSessionKey)
|
|
if oldUID == nil || oldUID.(string) != x.ID {
|
|
needsNew = true
|
|
_ = ctx.Session.Set(opt.oldSessionKey, x.ID)
|
|
} else {
|
|
// If cookie present, map existing token, else generate a new one.
|
|
if val := ctx.GetCookie(opt.Cookie); len(val) > 0 {
|
|
// FIXME: test coverage.
|
|
x.Token = val
|
|
} else {
|
|
needsNew = true
|
|
}
|
|
}
|
|
|
|
if needsNew {
|
|
// FIXME: actionId.
|
|
x.Token = GenerateToken(x.Secret, x.ID, "POST")
|
|
if opt.SetCookie {
|
|
var expires interface{}
|
|
if opt.CookieLifeTime == 0 {
|
|
expires = time.Now().AddDate(0, 0, 1)
|
|
}
|
|
ctx.SetCookie(opt.Cookie, x.Token, opt.CookieLifeTime, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHTTPOnly, expires,
|
|
func(c *http.Cookie) {
|
|
c.SameSite = opt.SameSite
|
|
},
|
|
)
|
|
}
|
|
}
|
|
|
|
if opt.SetHeader {
|
|
ctx.Resp.Header().Add(opt.Header, x.Token)
|
|
}
|
|
return x
|
|
}
|
|
|
|
// Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken"
|
|
// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated
|
|
// using ValidToken. If this validation fails, custom Error is sent in the reply.
|
|
// If neither a header or form value is found, http.StatusBadRequest is sent.
|
|
func Validate(ctx *Context, x CSRF) {
|
|
if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
|
|
if !x.ValidToken(token) {
|
|
ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath())
|
|
x.Error(ctx.Resp)
|
|
}
|
|
return
|
|
}
|
|
if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
|
|
if !x.ValidToken(token) {
|
|
ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath())
|
|
x.Error(ctx.Resp)
|
|
}
|
|
return
|
|
}
|
|
|
|
http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
|
|
}
|