github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/api/auth/csrf_validation_handler.go

github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/api/auth/csrf_validation_handler.go (about)

     1  package auth
     2  
     3  import (
     4  	"net/http"
     5  
     6  	"code.cloudfoundry.org/lager"
     7  
     8  	"github.com/pf-qiu/concourse/v6/skymarshal/token"
     9  )
    10  
    11  func CSRFValidationHandler(
    12  	handler http.Handler,
    13  	middleware token.Middleware,
    14  ) http.Handler {
    15  	return csrfValidationHandler{
    16  		handler:    handler,
    17  		middleware: middleware,
    18  	}
    19  }
    20  
    21  type csrfValidationHandler struct {
    22  	handler    http.Handler
    23  	middleware token.Middleware
    24  }
    25  
    26  func (h csrfValidationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    27  	logger, ok := r.Context().Value("logger").(lager.Logger)
    28  	if !ok {
    29  		panic("logger is not set in request context for csrf validation handler")
    30  	}
    31  
    32  	logger = logger.Session("csrf-validation")
    33  
    34  	if IsCSRFRequired(r) {
    35  
    36  		csrfHeader := r.Header.Get(CSRFHeaderName)
    37  		if csrfHeader == "" {
    38  			logger.Debug("csrf-header-is-not-set")
    39  			w.WriteHeader(http.StatusUnauthorized)
    40  			return
    41  		}
    42  
    43  		csrfToken := h.middleware.GetCSRFToken(r)
    44  		if csrfToken == "" {
    45  			logger.Debug("csrf-is-not-provided-in-auth-token")
    46  			w.WriteHeader(http.StatusUnauthorized)
    47  			return
    48  		}
    49  
    50  		if csrfToken != csrfHeader {
    51  			logger.Debug("csrf-token-does-not-match-auth-token", lager.Data{
    52  				"auth-csrf-token":    csrfToken,
    53  				"request-csrf-token": csrfHeader,
    54  			})
    55  			w.WriteHeader(http.StatusUnauthorized)
    56  			return
    57  		}
    58  	}
    59  
    60  	h.handler.ServeHTTP(w, r)
    61  }