chore: cleanup files
This commit is contained in:
@@ -41,7 +41,6 @@ func Auth(authService *auth.Service) func(http.Handler) http.Handler {
|
||||
}
|
||||
}
|
||||
|
||||
// RequireAuth ensures that a valid user is in the context, otherwise unauthorized
|
||||
func RequireAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
user, ok := r.Context().Value(UserContextKey).(*database.User)
|
||||
@@ -58,7 +57,6 @@ func RequireAuth(next http.Handler) http.Handler {
|
||||
})
|
||||
}
|
||||
|
||||
// RequireGlobalAuth ensures that a valid user is in the context for all routes except login and static
|
||||
func RequireGlobalAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// Allow unauthenticated access to login, register, search, and static files
|
||||
@@ -83,7 +81,6 @@ func RequireGlobalAuth(next http.Handler) http.Handler {
|
||||
})
|
||||
}
|
||||
|
||||
// GetUser returns the user from context, or nil if not logged in
|
||||
func GetUser(ctx context.Context) *database.User {
|
||||
user, ok := ctx.Value(UserContextKey).(*database.User)
|
||||
if !ok {
|
||||
|
||||
@@ -5,8 +5,6 @@ import (
|
||||
"net/url"
|
||||
)
|
||||
|
||||
// VerifyOrigin prevents simple CSRF by ensuring the Origin or Referer header matches the Host header
|
||||
// for state-changing endpoints (POST/PUT/DELETE).
|
||||
func VerifyOrigin(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
|
||||
@@ -22,7 +20,7 @@ func VerifyOrigin(next http.Handler) http.Handler {
|
||||
http.Error(w, "Missing Origin or Referer header", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
refURL, err := url.Parse(referer)
|
||||
if err != nil {
|
||||
http.Error(w, "Invalid Referer header", http.StatusForbidden)
|
||||
@@ -32,12 +30,10 @@ func VerifyOrigin(next http.Handler) http.Handler {
|
||||
}
|
||||
|
||||
host := r.Host
|
||||
// Optional: strip port if you only care about domain
|
||||
|
||||
// If origin doesn't match host (accounting for potential schema prefixes)
|
||||
expectedHTTP := "http://" + host
|
||||
expectedHTTPS := "https://" + host
|
||||
|
||||
|
||||
if origin != expectedHTTP && origin != expectedHTTPS {
|
||||
http.Error(w, "Cross-Site Request Forgery (CSRF) origin mismatch", http.StatusForbidden)
|
||||
return
|
||||
|
||||
@@ -34,7 +34,6 @@ func cleanupVisitors() {
|
||||
}
|
||||
}
|
||||
|
||||
// getIP attempts to get the real IP, falling back to RemoteAddr
|
||||
func getIP(r *http.Request) string {
|
||||
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
|
||||
ips := strings.Split(xff, ",")
|
||||
@@ -50,7 +49,6 @@ func getIP(r *http.Request) string {
|
||||
return ip
|
||||
}
|
||||
|
||||
// RateLimitAuth limits login/register attempts to prevent brute force
|
||||
func RateLimitAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
ip := getIP(r)
|
||||
@@ -67,7 +65,7 @@ func RateLimitAuth(next http.Handler) http.Handler {
|
||||
v.attempts++
|
||||
v.lastSeen = time.Now()
|
||||
}
|
||||
|
||||
|
||||
// If more than 5 attempts within a minute, block
|
||||
if exists && v.attempts > 5 {
|
||||
mu.Unlock()
|
||||
|
||||
Reference in New Issue
Block a user