Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Middleware doesn't work with Chi #173

Open
1 task done
romanian-bag-void opened this issue Nov 30, 2023 · 1 comment
Open
1 task done

[BUG] Middleware doesn't work with Chi #173

romanian-bag-void opened this issue Nov 30, 2023 · 1 comment
Labels
bug

Comments

@romanian-bag-void
Copy link

romanian-bag-void commented Nov 30, 2023
edited

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Looks like a bug to me, but I hope I'm not missing something. I don't know if this is a Chi-related issue, or gorilla-csrf issue.

I'm trying to use chi with the CSRF middleware, but for some reason, despite it being easy to access the token, on protected routes they don't appear. I understand how the whole CSRF process should work usually, and have read the docs, but I don't seem to be able to create protected routes. In my particular case, I want to get the CSRF token as a JSON attribute, but I think that is redundant in this case.

Expected Behavior

CSRF-protected routes should require the token in some form to be accessible and give a 403 Forbidden error if they are not provided the token.

Steps To Reproduce

Create a default middleware, apply it to the router, apply it to individual routes, doesn't work. Doesn't work on groups either.

Anything else?

The code:

`

func main() {router := chi.NewRouter()

CSRFMiddleware := csrf.Protect([]byte("32-byte-long-auth-key")) // change 32-bla to something random

router.Use(middleware.Logger)	

router.Group(func(r chi.Router) {
	r.Use(CSRFMiddleware)

	router.Get("/get-token", func(w http.ResponseWriter, r *http.Request) {
		render.JSON(w, r,  csrf.Token(r))
	})

	router.Get("/1", func(w http.ResponseWriter, r *http.Request) {
		render.JSON(w, r, "no middleware!")
	})

	router.With(CSRFMiddleware).Get("/2", func(w http.ResponseWriter, r *http.Request) {
		render.JSON(w, r, "with middleware!")
	})
})
	// Routes outside a group
	router.Get("/3", func(w http.ResponseWriter, r *http.Request) {
	render.JSON(w, r, "no group, no middleware!")
})

	router.With(CSRFMiddleware).Get("/4", func(w http.ResponseWriter, r *http.Request) {
	render.JSON(w, r, "no group, with middleware!")
})

http.ListenAndServe(":3000", router)}

`
@IgorPidik
Copy link

Hi @romanian-bag-void,
This does not seem to be a bug. In csrf.go#L244 you can see that the "safe" methods (GET, HEAD, ...) are not inspected. If you change the method of one of your protected endpoints to "POST" then you will get a 403 response as you expect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Gorilla Web Toolkit
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IgorPidik @romanian-bag-void