aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middleware/token.go
blob: e1666f7fe43a90015e1be9bf414e3d07b255208f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

// Copyright 2017 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.

package middleware

import (
	"context"
	"net/http"

	"github.com/miniflux/miniflux/logger"
	"github.com/miniflux/miniflux/model"
	"github.com/miniflux/miniflux/storage"
)

// TokenMiddleware represents a token middleware.
type TokenMiddleware struct {
	store *storage.Storage
}

// Handler execute the middleware.
func (t *TokenMiddleware) Handler(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		var err error
		token := t.getTokenValueFromCookie(r)

		if token == nil {
			logger.Debug("[Middleware:Token] Token not found")
			token, err = t.store.CreateToken()
			if err != nil {
				logger.Error("[Middleware:Token] %v", err)
				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
				return
			}

			cookie := &http.Cookie{
				Name:     "tokenID",
				Value:    token.ID,
				Path:     "/",
				Secure:   r.URL.Scheme == "https",
				HttpOnly: true,
			}

			http.SetCookie(w, cookie)
		} else {
			logger.Info("[Middleware:Token] %s", token)
		}

		isTokenValid := token.Value == r.FormValue("csrf") || token.Value == r.Header.Get("X-Csrf-Token")

		if r.Method == "POST" && !isTokenValid {
			logger.Error("[Middleware:CSRF] Invalid or missing CSRF token!")
			w.WriteHeader(http.StatusBadRequest)
			w.Write([]byte("Invalid or missing CSRF token!"))
		} else {
			ctx := r.Context()
			ctx = context.WithValue(ctx, TokenContextKey, token.Value)
			next.ServeHTTP(w, r.WithContext(ctx))
		}
	})
}

func (t *TokenMiddleware) getTokenValueFromCookie(r *http.Request) *model.Token {
	tokenCookie, err := r.Cookie("tokenID")
	if err == http.ErrNoCookie {
		return nil
	}

	token, err := t.store.Token(tokenCookie.Value)
	if err != nil {
		logger.Error("[Middleware:Token] %v", err)
		return nil
	}

	return token
}

// NewTokenMiddleware returns a new TokenMiddleware.
func NewTokenMiddleware(s *storage.Storage) *TokenMiddleware {
	return &TokenMiddleware{store: s}
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 15:59:02 +0000