Any plans on a csrf middleware?

Question

Any plans on a csrf middleware?

robvdl opened this issue 9 years ago · 6 comments

How about adding csrf token generation and middleware support to contrib, I notice there is this currently:

However, that requires tommmy351/gin-sessions rather than the sessions from gin-gonic/contrib/sessions, it would make sense to have a csrf library that worked with gin-gonic/contrib/sessions instead.

I also notice that gin-csrf seems to implement the csrf code from scratch, there is also gorilla/csrf that could have maybe been used as a foundation maybe? but gin-csrf does not appear to be using that.

lawlite commented 9 years ago

+1

Answer 1 · 2015-08-30T10:08:21.000Z

Later I found a fork of this library github.com/utrack/gin-csrf that has been adapted to work with gin-contrib sessions.

However I have found another library nosurf which seems to be much more mature than gin-csrf.

Answer 2 · 2015-12-24T04:14:06.000Z

@robvdl
There is already https://github.com/gin-gonic/nosurf

Simplified example

func main() {
     r := gin.Default()

     csrf := nosurf.New(r)
     csrf.SetFailureHandler(http.HandlerFunc(csrfFailHandler))

     http.ListenAndServe(":8000", csrf)
}

func csrfFailHandler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "%s\n", nosurf.Reason(r))
}

func DisplayForm(c *gin.Context) {
   // in your form
   // <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
    c.HTML(200, "foo.html", pongo2.Context{"csrf_token":    nosurf.Token(c.Request)})
}

Answer 3 · 2015-12-24T09:28:58.000Z

@iwanbk

Yep, that's exactly what I have already been doing, I found that out not long after I wrote this issue, so I am not sure a csrf middleware is really needed in contrib, should we close this issue?

Answer 4 · 2015-12-24T12:42:13.000Z

should we close this issue?

Yes, we should instead improve readme/docs of https://github.com/gin-gonic/nosurf

Answer 5 · 2017-01-23T14:56:40.000Z

Please note, at this moment this fork is far behind justinas/nosurf.