pull out of older repos

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright © 2024 NAME HERE <EMAIL ADDRESS>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

auth_check.go

@@ -0,0 +1,29 @@
+package csrf
+
+import (
+	"crypto/md5"
+	"fmt"
+	"strconv"
+	"time"
+)
+
+// authenticated routes
+
+// compare two. possibly change this into middleware?
+func (c CSRF) AuthCheck(userID string, routeName string, givenToken string) bool {
+	minfactor := strconv.Itoa(time.Now().Hour())
+	minfactor_1 := strconv.Itoa(time.Now().Hour() - 1)
+	comp := fmt.Sprintf("%x", md5.Sum([]byte(userID+routeName+c.CSRFKey+minfactor)))
+	comp2 := fmt.Sprintf("%x", md5.Sum([]byte(userID+routeName+c.CSRFKey+minfactor_1)))
+	// comp := sha256.New()
+	// comp.Write([]byte(userID + routeName + CSRFKey + strconv.Itoa(time.Now().Hour())))
+	// be charitable:
+	//comp2 := sha256.New()
+	//comp2.Write([]byte(userID + routeName + CSRFKey + strconv.Itoa(time.Now().Hour()-1)))
+	if comp == givenToken {
+		return true
+	}
+	// second comparison for last hour:
+	return comp2 == givenToken
+	//return fmt.Sprintf("%x", comp2.Sum(nil)) == givenToken
+}

auth_make.go

@@ -0,0 +1,18 @@
+package csrf
+
+import (
+	"crypto/md5"
+	"fmt"
+	"strconv"
+	"time"
+)
+
+// a CSRF key is valid for the current time, route, and user.
+func (c CSRF) AuthMake(userID string, routeName string) string {
+	// h := sha256.New()
+	// h.Write([]byte(userID + routeName + CSRFKey + strconv.Itoa(time.Now().Hour())))
+	// return fmt.Sprintf("%x", h.Sum(nil))
+	minfactor := strconv.Itoa(time.Now().Hour())
+	res := fmt.Sprintf("%x", md5.Sum([]byte(userID+routeName+c.CSRFKey+minfactor)))
+	return res
+}

example_test.go

@@ -0,0 +1,23 @@
+package csrf_test
+
+import (
+	"fmt"
+	"net/http"
+
+	"git.bivouac.wiki/use/csrf"
+)
+
+func denied(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/html")
+	fmt.Println("404: " + r.URL.Path)
+	w.WriteHeader(403)
+	w.Write([]byte("CSRF invalid"))
+}
+
+func ExampleCSRF() {
+	k := csrf.SessionRandB64(16)
+	c := csrf.New(k, denied)
+	val := c.AuthMake("alice", "/home")
+	c.AuthCheck("alice", "/home", val)
+	// can add in the httptest examples for the middleware in a bit.
+}

guestgen.go

@@ -1 +0,0 @@
-package csrf

guestvalid.go

@@ -1,3 +0,0 @@
-package csrf
-
-// guest routes

init.go

@@ -0,0 +1,23 @@
+package csrf
+
+import "net/http"
+
+type CSRF struct {
+	CSRFKey  string
+	DeniedFn DenyFN
+}
+type DenyFN func(w http.ResponseWriter, r *http.Request)
+
+// NewCSRFRand makes a new CSRF with a random key.
+func NewRand(deniedfn DenyFN) CSRF {
+	k := SessionRandB64(16)
+	return New(k, deniedfn)
+}
+
+// NewCSRF creates a CSRF with a defined key
+func New(key string, deniedfn DenyFN) CSRF {
+	return CSRF{
+		CSRFKey:  key,
+		DeniedFn: deniedfn,
+	}
+}

middleware.go

@@ -1 +1,29 @@
 package csrf
+
+import "net/http"
+
+type CtxKey string
+
+const ContextUserId CtxKey = "userid"
+
+func (c CSRF) MiddleAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// requires WhoIsThis middleware to set this context key beforehand...
+		userID := r.Context().Value(ContextUserId).(string)
+		if c.AuthCheck(userID, r.RequestURI, r.FormValue("csrf")) {
+			c.DeniedFn(w, r)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (c CSRF) MiddleUnauth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !c.UnauthCheck(r.RequestURI, r.FormValue("csrf")) {
+			c.DeniedFn(w, r)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}

rand.go

@@ -0,0 +1,28 @@
+package csrf
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"math"
+)
+
+func urlRandomBase64String(l int) string {
+	buff := make([]byte, int(math.Ceil(float64(l)/float64(1.33333333333))))
+	rand.Read(buff)
+	str := base64.RawURLEncoding.EncodeToString(buff)
+	return str[:l] // strip 1 extra character we get from odd length results
+}
+
+func randChars(len int) []byte {
+	val := make([]byte, len)
+	if _, err := rand.Read(val); err != nil {
+		fmt.Println(err)
+	}
+	return val
+}
+func SessionRandB64(len int) string {
+	val := randChars(len)
+	res := base64.StdEncoding.EncodeToString(val)
+	return res
+}

unauth_check.go

@@ -0,0 +1,28 @@
+package csrf
+
+import (
+	"crypto/md5"
+	"fmt"
+	"strconv"
+	"time"
+)
+
+// guest routes
+func (c CSRF) UnauthCheck(routename string, givenToken string) bool {
+	//comp := sha256.New()
+	minfactor := strconv.Itoa(time.Now().Minute() / 10)
+	minfactor_1 := strconv.Itoa((time.Now().Minute() / 10) - 1)
+	comp := fmt.Sprintf("%x", md5.Sum([]byte(routename+c.CSRFKey+minfactor)))
+	//comp.Write([]byte(routename + CSRFKey + minfactor))
+	// be charitable:
+	comp2 := fmt.Sprintf("%x", md5.Sum([]byte(routename+c.CSRFKey+minfactor_1)))
+	// comp2 := sha256.New()
+	// comp2.Write([]byte(routename + CSRFKey + minfactor_1))
+	if comp == givenToken {
+		return true
+	}
+	// second comparison for last hour:
+	return comp2 == givenToken
+	//return fmt.Sprintf("%x", comp2.Sum(nil)) == givenToken
+
+}

unauth_make.go

@@ -0,0 +1,20 @@
+package csrf
+
+import (
+	"crypto/md5"
+	"fmt"
+	"strconv"
+	"time"
+)
+
+// userless CSRF
+func (c CSRF) UnauthMake(routename string) string {
+	//shorter time scales
+	// h := sha256.New()
+	// get time in 10 minute chunks
+	minfactor := strconv.Itoa(time.Now().Minute() / 10)
+	res := fmt.Sprintf("%x", md5.Sum([]byte(routename+c.CSRFKey+minfactor)))
+	// h.Write([]byte(routename + CSRFKey + minfactor))
+	// res := fmt.Sprintf("%x", h.Sum(nil))
+	return res
+}

usergen.go

@@ -1 +0,0 @@
-package csrf

uservalid.go

@@ -1,3 +0,0 @@
-package csrf
-
-// authenticated routes