Echo: Any document demonstrate the way using CSRF middleware?

Created on 25 Jun 2016  路  6Comments  路  Source: labstack/echo

It doesn't work by just simply add Use in context

package main

import (
    "net/http"

    "github.com/labstack/echo"
    "github.com/labstack/echo/engine/standard"
    //"github.com/labstack/echo/engine/fasthttp"
    "github.com/labstack/echo/middleware"
)

func main() {

    // Echo instance
    e := echo.New()

    // Middleware
    e.Use(middleware.Logger())
    e.Use(middleware.Recover())
    e.Use(middleware.Gzip())
    e.Use(middleware.CSRF([]byte("secret")))

    e.GET("/", form)
    e.POST("/", formPost)

    // Start server
    e.Run(standard.New(":1324"))
}

func form(c echo.Context) error {
    return c.HTML(http.StatusOK, `
<html>
<body>
<form method='POST'>
<input type='text' name='name' /><br/>
<input type='submit' value='submit' />
</form>
</body>
</html> 
    `)
}

func formPost(c echo.Context) error {
    name := c.FormValue("name")
    return c.String(http.StatusOK, name)
}

And error shows

invalid csrf token
question

Most helpful comment

@vishr, I believe this ticket can be closed?

For others, searching for information on how to use CSRF protection:

  1. Register the CSRF middleware (the example below expects the POST-ed form to contain a form field with the name csrf and the value of csrf token.
    go api.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{ TokenLookup: "form:csrf", }))
  2. Get the value of current CSRF token. The value of csrf token can be extracted from the echo#Context: csrf_value := ctx.Get(middleware.DefaultCSRFConfig.ContextKey).(string)
  3. Make sure that your forms which are to be posted contain this form field by passing the token value to you template.

If you need to protect other methods, you will probably need a different configuration and passing the token through HTTP headers.

All 6 comments

You have to send CSRF token back. It can be read from cookie? Default CSRF middleware looks for CSRF token in header key X-CSRF-Token.

I see. I checked code, and learnt it like what you mentioned.
While since by default it writes to cookie, is there any concern that not read from cookie directly?

I will update the docs but you should look into in general how to use CSRF.

I see, Thanks.

@vishr, I believe this ticket can be closed?

For others, searching for information on how to use CSRF protection:

  1. Register the CSRF middleware (the example below expects the POST-ed form to contain a form field with the name csrf and the value of csrf token.
    go api.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{ TokenLookup: "form:csrf", }))
  2. Get the value of current CSRF token. The value of csrf token can be extracted from the echo#Context: csrf_value := ctx.Get(middleware.DefaultCSRFConfig.ContextKey).(string)
  3. Make sure that your forms which are to be posted contain this form field by passing the token value to you template.

If you need to protect other methods, you will probably need a different configuration and passing the token through HTTP headers.

Thanks @skyflyer

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mrLSD picture mrLSD  路  11Comments

yaa110 picture yaa110  路  12Comments

lornasong picture lornasong  路  14Comments

jinroh picture jinroh  路  20Comments

danielbprice picture danielbprice  路  23Comments