feat: csrf middleware (#1182)

NiteshSingh17 · web-flow · commit 85d119fd9e1c · 2025-09-12T09:15:29.000+08:00
* create csrf middleware

* minor

* update csrf token

* handle absolute paths

* csrf test

* replace http to net http

* replace AbortWithStatusJson with Abort
diff --git a/contracts/http/status.go b/contracts/http/status.go
@@ -73,6 +73,7 @@ const (
 	StatusLoopDetected                  = http.StatusLoopDetected
 	StatusNotExtended                   = http.StatusNotExtended
 	StatusNetworkAuthenticationRequired = http.StatusNetworkAuthenticationRequired
+	StatusTokenMismatch                 = 419
 )
 
 var statusText = map[int]string{
@@ -142,6 +143,7 @@ var statusText = map[int]string{
 	StatusLoopDetected:                  http.StatusText(StatusLoopDetected),
 	StatusNotExtended:                   http.StatusText(StatusNotExtended),
 	StatusNetworkAuthenticationRequired: http.StatusText(StatusNetworkAuthenticationRequired),
+	StatusTokenMismatch:                 "CSRF token mismatch",
 }
 
 // StatusText returns a text for the HTTP status code. It returns the empty
diff --git a/http/middleware/verify_csrf_token.go b/http/middleware/verify_csrf_token.go
@@ -0,0 +1,65 @@
+package middleware
+
+import (
+	"crypto/subtle"
+	"net/url"
+	"path"
+	"strings"
+
+	contractshttp "github.com/goravel/framework/contracts/http"
+)
+
+const HeaderCsrfKey = "X-CSRF-TOKEN"
+
+func VerifyCsrfToken(excepts []string) contractshttp.Middleware {
+	absolutePaths := parseExceptPaths(excepts)
+	return func(ctx contractshttp.Context) {
+		if isReading(ctx.Request().Method()) || inExceptArray(absolutePaths, ctx.Request().Path()) || tokenMatch(ctx) {
+			ctx.Request().Next()
+			ctx.Response().Header(HeaderCsrfKey, ctx.Request().Session().Token())
+		} else {
+			ctx.Request().Abort(contractshttp.StatusTokenMismatch)
+		}
+	}
+}
+
+func tokenMatch(ctx contractshttp.Context) bool {
+	if !ctx.Request().HasSession() {
+		return false
+	}
+	sessionCsrfToken := ctx.Request().Session().Token()
+	requestCsrfToken := ctx.Request().Header(HeaderCsrfKey)
+	if requestCsrfToken == "" {
+		requestCsrfToken = ctx.Request().Input("_token")
+	}
+	if requestCsrfToken == "" || subtle.ConstantTimeCompare([]byte(requestCsrfToken), []byte(sessionCsrfToken)) == 0 {
+		return false
+	}
+	return true
+}
+
+func inExceptArray(excepts []string, currentPath string) bool {
+	currentPath = strings.Trim(currentPath, "/")
+	for _, pattern := range excepts {
+		if matched, err := path.Match(pattern, currentPath); err == nil && matched {
+			return true
+		}
+	}
+	return false
+}
+
+func isReading(method string) bool {
+	return method == contractshttp.MethodGet || method == contractshttp.MethodHead || method == contractshttp.MethodOptions
+}
+
+func parseExceptPaths(rawExcepts []string) []string {
+	var paths []string
+	for _, except := range rawExcepts {
+		if u, err := url.Parse(except); err == nil && u.Path != "" {
+			paths = append(paths, strings.Trim(u.Path, "/"))
+		} else {
+			paths = append(paths, strings.Trim(except, "/"))
+		}
+	}
+	return paths
+}
diff --git a/http/middleware/verify_csrf_token_test.go b/http/middleware/verify_csrf_token_test.go

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,7 @@ const (`
`73`	`73`	`StatusLoopDetected = http.StatusLoopDetected`
`74`	`74`	`StatusNotExtended = http.StatusNotExtended`
`75`	`75`	`StatusNetworkAuthenticationRequired = http.StatusNetworkAuthenticationRequired`
	`76`	`+ StatusTokenMismatch = 419`
`76`	`77`	`)`
`77`	`78`
`78`	`79`	`var statusText = map[int]string{`
`@@ -142,6 +143,7 @@ var statusText = map[int]string{`
`142`	`143`	`StatusLoopDetected: http.StatusText(StatusLoopDetected),`
`143`	`144`	`StatusNotExtended: http.StatusText(StatusNotExtended),`
`144`	`145`	`StatusNetworkAuthenticationRequired: http.StatusText(StatusNetworkAuthenticationRequired),`
	`146`	`+ StatusTokenMismatch: "CSRF token mismatch",`
`145`	`147`	`}`
`146`	`148`
`147`	`149`	`// StatusText returns a text for the HTTP status code. It returns the empty`