httpauth

package
v0.1.35 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultMaxBodySize = 1 << 20 // 1MB

DefaultMaxBodySize is the default request body size limit (1MB).

Variables

This section is empty.

Functions

func CSRFTemplateField

func CSRFTemplateField(r *http.Request) template.HTML

CSRFTemplateField returns an HTML hidden input field containing the CSRF token. Use this in templates: {{.CSRFField}}

func CSRFToken

func CSRFToken(r *http.Request) string

CSRFToken extracts the CSRF token from the request context. Returns an empty string if the CSRF middleware is not active.

func IsBodyTooLargeError added in v0.0.42

func IsBodyTooLargeError(err error) bool

IsBodyTooLargeError checks if an error is from http.MaxBytesReader exceeding its limit.

func LimitBody added in v0.0.42

func LimitBody(maxBytes int64) func(http.Handler) http.Handler

LimitBody returns middleware that limits the request body to maxBytes. If the body exceeds the limit, a 413 Request Entity Too Large response is sent before the handler runs. This prevents memory exhaustion from oversized JSON bodies (CWE-400: Uncontrolled Resource Consumption).

Usage:

mux.Handle("/api/login", httpauth.LimitBody(1<<20)(loginHandler))

Or wrap an entire mux:

http.ListenAndServe(":8080", httpauth.LimitBody(1<<20)(mux))

func LimitBodyReader added in v0.0.42

func LimitBodyReader(w http.ResponseWriter, r *http.Request, maxBytes int64)

LimitBodyReader is a lower-level helper that wraps a request body with http.MaxBytesReader. Unlike LimitBody middleware, it doesn't reject upfront — the error occurs when the handler tries to read past the limit. Use this when you need to apply limits inside a handler rather than as middleware.

func SecurityHeaders added in v0.0.43

func SecurityHeaders() func(http.Handler) http.Handler

SecurityHeaders returns middleware that sets standard security headers on every response. These headers protect against common web vulnerabilities:

  • HSTS: forces HTTPS connections (RFC 6797)
  • X-Content-Type-Options: prevents MIME sniffing
  • X-Frame-Options: prevents clickjacking
  • Content-Security-Policy: mitigates XSS
  • Referrer-Policy: controls referrer leakage
  • Permissions-Policy: disables unnecessary browser APIs

Usage:

mux := http.NewServeMux()
handler := httpauth.SecurityHeaders()(mux)
http.ListenAndServe(":8080", handler)

See: https://owasp.org/www-project-secure-headers/

func SecurityHeadersWithConfig added in v0.0.43

func SecurityHeadersWithConfig(cfg SecurityHeadersConfig) func(http.Handler) http.Handler

SecurityHeadersWithConfig returns middleware using the provided configuration.

Types

type CSRFMiddleware

type CSRFMiddleware struct {
	// CookieName is the name of the CSRF cookie. Default: "csrf_token".
	CookieName string
	// FieldName is the form field name to check. Default: "csrf_token".
	FieldName string
	// HeaderName is the HTTP header to check. Default: "X-CSRF-Token".
	HeaderName string
	// MaxAge is the cookie lifetime in seconds. Default: 3600 (1 hour).
	MaxAge int
	// Secure sets the Secure flag on the cookie (for HTTPS).
	Secure bool
	// SameSite sets the SameSite attribute. Default: SameSiteStrictMode.
	SameSite http.SameSite
	// Path sets the cookie path. Default: "/".
	Path string
	// ErrorHandler is called when CSRF validation fails. Default: 403 JSON response.
	ErrorHandler http.HandlerFunc
	// ExemptFunc returns true if the request should skip CSRF validation.
	// Default: exempt requests with an Authorization: Bearer header.
	ExemptFunc func(*http.Request) bool
}

CSRFMiddleware implements the double-submit cookie pattern for CSRF protection. It generates a random token stored in a cookie and validates that state-changing requests include a matching token in a form field or header.

Bearer-token requests are exempt by default since they are not vulnerable to CSRF. The cookie is NOT HttpOnly so JavaScript can read it for AJAX header submission.

func (*CSRFMiddleware) Protect

func (m *CSRFMiddleware) Protect(next http.Handler) http.Handler

Protect returns middleware that enforces CSRF protection. Safe methods (GET, HEAD, OPTIONS) receive a CSRF cookie and have the token injected into the request context. Unsafe methods must include a matching token in either the form field or header.

type Middleware

type Middleware struct {
	AuthTokenHeaderName string
	AuthTokenCookieName string
	SubjectParamName    string
	CallbackURLParam    string
	SessionGetter       func(r *http.Request, param string) any
	GetRedirURL         func(r *http.Request) string
	DefaultRedirectURL  string
	VerifyToken         func(tokenString string) (loggedInSubject string, token any, err error)
}

func (*Middleware) EnsureReasonableDefaults

func (a *Middleware) EnsureReasonableDefaults()

*

  • Ensures that config values have reasonable defaults.

func (*Middleware) EnsureUser

func (a *Middleware) EnsureUser(next http.Handler) http.Handler

func (*Middleware) ExtractUser

func (a *Middleware) ExtractUser(next http.Handler) http.Handler

*

  • Fetches the subject from the request and loads it into the request
  • context for downstream handlers. *
  • Note this does not perform any redirects if a valid subject does not
  • exist. To also enforce that, use EnsureUser.

func (*Middleware) GetLoggedInSubject added in v0.1.4

func (a *Middleware) GetLoggedInSubject(r *http.Request) string

GetLoggedInSubject returns the authenticated subject (RFC 7519 `sub`) for the current request — a user ID for human-driven flows or a client_id for client_credentials.

type OneAuth

type OneAuth struct {
	Session    *scs.SessionManager
	Middleware Middleware

	// Optional name that can be used as a prefix for all required vars
	AppName string

	// Name of the session variable where the auth token is stored
	AuthTokenSessionVar string

	// All the domains where the auth token cookies will be set on a login success or logout
	CookieDomains []string

	// JWT related fields
	JwtIssuer    string
	JWTSecretKey string

	// How long is a session cookie valid for.  Defaults to 1 day
	SessionTimeoutInSeconds int
	// contains filtered or unexported fields
}

OneAuth owns the session/JWT/mux transport machinery shared across auth flows. Provider-mediated (OAuth/SAML) callback orchestration lives in federatedauth/; username/password handlers live in localauth/.

func New

func New(appName string) *OneAuth

func (*OneAuth) AddAuth

func (a *OneAuth) AddAuth(prefix string, handler http.Handler) *OneAuth

func (*OneAuth) EnsureDefaults

func (a *OneAuth) EnsureDefaults() *OneAuth

func (*OneAuth) Handler

func (a *OneAuth) Handler() http.Handler

func (*OneAuth) SetLoggedInSubject added in v0.1.4

func (a *OneAuth) SetLoggedInSubject(subject string, w http.ResponseWriter, r *http.Request) string

SetLoggedInSubject stores the authenticated subject (RFC 7519 `sub` — a user ID for human-driven flows or a client_id for client_credentials) on each configured cookie domain. Pass an empty string to clear (logout).

Callers (typically federatedauth or localauth) translate their User object to user.Id() at the call site.

type SecurityHeadersConfig added in v0.0.43

type SecurityHeadersConfig struct {
	// HSTS max-age in seconds. Set to 0 to disable. Default: 31536000 (1 year).
	HSTSMaxAge int
	// Include subdomains in HSTS. Default: true.
	HSTSIncludeSubDomains bool
	// X-Frame-Options value. Default: "DENY". Set to "" to disable.
	FrameOptions string
	// Content-Security-Policy value. Default: "default-src 'self'". Set to "" to disable.
	ContentSecurityPolicy string
	// Referrer-Policy value. Default: "strict-origin-when-cross-origin". Set to "" to disable.
	ReferrerPolicy string
	// Permissions-Policy value. Default: disables camera, mic, geo. Set to "" to disable.
	PermissionsPolicy string
	// Cross-Origin-Embedder-Policy value. Default: "credentialless". Set to "" to disable.
	CrossOriginEmbedderPolicy string
	// Cross-Origin-Opener-Policy value. Default: "same-origin". Set to "" to disable.
	CrossOriginOpenerPolicy string
	// Cross-Origin-Resource-Policy value. Default: "same-origin". Set to "" to disable.
	CrossOriginResourcePolicy string
}

SecurityHeadersConfig controls which security headers are set.

func DefaultSecurityHeadersConfig added in v0.0.43

func DefaultSecurityHeadersConfig() SecurityHeadersConfig

DefaultSecurityHeadersConfig returns secure defaults.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL