Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a way to avoid verification #9

Open
hongjinlin opened this issue Mar 21, 2018 · 8 comments
Open

Is there a way to avoid verification #9

hongjinlin opened this issue Mar 21, 2018 · 8 comments

Comments

@hongjinlin
Copy link

I have a scenario that needs to receive a third-party post.
Thanks!
@hongjinlin
Copy link
Author

not IgnoreMethods,but a router such as
wechat := router.Group("/wechat")
{
wechatC := new(Wechat)
wechat.POST("/callback", wechatC.Callback)//Normal verification
wechat.POST("/message", wechatServerC.Message)//how to avoid verification

}

@delphinus
Copy link

"avoid verification" means you want not to set CSRF protection to a certain path? gin can apply middlewares to the whole router, each group (path), or each endpoints.

mw := csrf.Middleware(csrf.Options{...})

r := gin.New()
r.POST("/need_not_to_protect", safeFunc)
r.POST("/need_to_protect", mw, dangerFunc)

// ...or...

r := gin.New()
rs := r.Group("/need_not_to_protect")
rs.POST("safe", safeFunc)
...

rd := r.Group("/need_to_protect", mw)
rs.POST("danger", dangerFunc)
...

@utrack
Copy link
Owner

utrack commented Mar 21, 2018

@hongjinlin you can create two Groups, one of which would be protected and another one unprotected.
Parts of their paths can overlap, so if you create two "/wechat" groups it won't be a problem - one group can use the middleware (i.e. be CSRF-protected) and one can do without the m/w.

@hongjinlin
Copy link
Author

Thank you for your answer @delphinus @utrack
I add IgnoreRoute config in my fork
https://github.com/hongjinlin/gin-csrf.git

@delphinus
Copy link

I think this would be achieved by adding another middleware because the paths both in routing setting and in ignoreRoutes are duplicated.

By #10, you can use this feature with codes below...

mw := csrf.Middleware(csrf.Options{
  Secret: ...,
  IgnoreRoutes: []string{"/path/to/safe"},
})

r := gin.New()
rr := r.Group("/path/to", mw)
rr.POST("unsafe", foo.Unsafe)
rr.POST("safe", foo.Safe)

Then, if you want to change the path /path/to to /nice/path/to, you must change all codes that has /path/to.

mw := csrf.Middleware(csrf.Options{
  Secret: ...,
  IgnoreRoutes: []string{"/path/to/safe"},  // <- to change
})

...

rr := r.Group("/path/to", mw) // <- to change

In small apps, this is OK. But this is easy to mistake in huge apps that has multiple source files for routing.

So I suggest to use another middleware for this.

mw := csrf.Middleware(csrf.Options{
  Secret: ...,
})

r := gin.New()
rr := r.Group("/path/to", mw)
rr.POST("unsafe", foo.Unsafe)
// ignore CSRF feature for this route only
rr.POST("safe", csrf.Ignore, foo.Safe)

How about this? @hongjinlin , @utrack I will push PR later for this implementation.

@utrack utrack reopened this Apr 4, 2018
@utrack
Copy link
Owner

utrack commented Apr 4, 2018

I like your solution more @delphinus. Pushing some value to the ctx and then rechecking it should do the trick.

@hongjinlin
Copy link
Author

Maybe you are right, but in our scenario csrf middleware is global, it is not realistic to modify other routes now.

@delphinus
Copy link

I see... I have mistaken. Gin executes handlers from outer to inner, and the outer handler cannot distinguish inners. So, as @hongjinlin says, it is impossible for CSRF middleware to change its behavior according to inner middlewares including csrf.Ignore I illustrated above.

// in my plan...
rr := r.Use(csrf.Middleware())
rr.POST("/foo", csrf.Ignore, bar.Foo)

// and it executes in this order
// 1. csrf.Middleware()
// 2. csrf.Ignore
// 3. bar.Foo
//
// csrf.Ignore cannot change csrf.Middleware()'s behavior!!

I gave up ;( Anyone can know a good solution for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@delphinus @utrack @hongjinlin