narasi-ahli
/
narasiahli-be
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: update middleware for csrf checking

This commit is contained in:
hanif salafi 2025-11-05 09:28:21 +07:00
parent b3bfb2bc3d
commit 38a72b74c6
1 changed files with 51 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
app/middleware/register.middleware.go
View File

@ -70,59 +70,61 @@ func (m *Middleware) Register(db *database.Database) {
// CSRF CONFIG
//===============================
// Custom storage for CSRF
csrfSessionStorage := &PostgresStorage{
DB: db.DB,
}
// Store initialization for session
store := session.New(session.Config{
CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite,
CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure,
CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly,
CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly,
Storage: csrfSessionStorage,
})
m.App.Use(func(c *fiber.Ctx) error {
sess, err := store.Get(c)
if err != nil {
return err
// Only setup CSRF middleware if enabled
if m.Cfg.Middleware.Csrf.Enable {
// Custom storage for CSRF
csrfSessionStorage := &PostgresStorage{
DB: db.DB,
}
c.Locals("session", sess)
return c.Next()
})
// Cleanup the expired token
go func() {
ticker := time.NewTicker(1 * time.Hour)
defer ticker.Stop()
// Store initialization for session
store := session.New(session.Config{
CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite,
CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure,
CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly,
CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly,
Storage: csrfSessionStorage,
})
for range ticker.C {
if err := csrfSessionStorage.Reset(); err != nil {
log.Printf("Error cleaning up expired CSRF tokens: %v", err)
m.App.Use(func(c *fiber.Ctx) error {
sess, err := store.Get(c)
if err != nil {
return err
}
}
}()
c.Locals("session", sess)
return c.Next()
})
m.App.Use(csrf.New(csrf.Config{
Next: utilsSvc.IsEnabled(m.Cfg.Middleware.Csrf.Enable),
KeyLookup: "header:" + csrf.HeaderName,
CookieName: m.Cfg.Middleware.Csrf.CookieName,
CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite,
CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure,
CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly,
CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly,
Expiration: 1 * time.Hour,
KeyGenerator: utils.UUIDv4,
ContextKey: "csrf",
ErrorHandler: func(c *fiber.Ctx, err error) error {
return utilsSvc.CsrfErrorHandler(c, err)
},
Extractor: csrf.CsrfFromHeader(csrf.HeaderName),
Session: store,
SessionKey: "fiber.csrf.token",
}))
// Cleanup the expired token
go func() {
ticker := time.NewTicker(1 * time.Hour)
defer ticker.Stop()
for range ticker.C {
if err := csrfSessionStorage.Reset(); err != nil {
log.Printf("Error cleaning up expired CSRF tokens: %v", err)
}
}
}()
m.App.Use(csrf.New(csrf.Config{
KeyLookup: "header:" + csrf.HeaderName,
CookieName: m.Cfg.Middleware.Csrf.CookieName,
CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite,
CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure,
CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly,
CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly,
Expiration: 1 * time.Hour,
KeyGenerator: utils.UUIDv4,
ContextKey: "csrf",
ErrorHandler: func(c *fiber.Ctx, err error) error {
return utilsSvc.CsrfErrorHandler(c, err)
},
Extractor: csrf.CsrfFromHeader(csrf.HeaderName),
Session: store,
SessionKey: "fiber.csrf.token",
}))
}
//===============================
m.App.Use(AuditTrailsMiddleware(db.DB))
@ -141,7 +143,7 @@ func (m *Middleware) Register(db *database.Database) {
Next: utilsSvc.IsEnabled(m.Cfg.Middleware.Monitor.Enable),
}))
// Route for generate CSRF token
// Route for generate CSRF token (only available if CSRF is enabled)
m.App.Get("/csrf-token", func(c *fiber.Ctx) error {
// Retrieve CSRF token from Fiber's middleware context
token, ok := c.Locals("csrf").(string)