-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.go
More file actions
153 lines (132 loc) · 4.78 KB
/
middleware.go
File metadata and controls
153 lines (132 loc) · 4.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package pubengine
import (
"net/http"
"strings"
"github.com/gorilla/sessions"
"github.com/labstack/echo-contrib/session"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
const sessionName = "admin_session"
func (a *App) setupMiddleware() {
e := a.Echo
e.IPExtractor = echo.ExtractIPFromXFFHeader(
echo.TrustLoopback(true),
echo.TrustLinkLocal(false),
echo.TrustPrivateNet(true),
)
e.HTTPErrorHandler = a.httpErrorHandler
e.Pre(middleware.NonWWWRedirect())
e.Use(middleware.RequestLoggerWithConfig(middleware.RequestLoggerConfig{
LogStatus: true,
LogURI: true,
LogMethod: true,
LogLatency: true,
LogValuesFunc: func(c echo.Context, v middleware.RequestLoggerValues) error {
c.Logger().Infof("%s %s -> %d (%s)", v.Method, v.URI, v.Status, v.Latency)
return nil
},
}))
e.Use(middleware.Recover())
e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
Level: 5,
Skipper: func(c echo.Context) bool {
return strings.HasPrefix(c.Request().URL.Path, "/public/")
},
}))
e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
XSSProtection: "1; mode=block",
ContentTypeNosniff: "nosniff",
XFrameOptions: "DENY",
ReferrerPolicy: "strict-origin-when-cross-origin",
ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://nanolytica.org https://www.googletagmanager.com blob:; style-src 'self' 'unsafe-inline'; img-src 'self' https: data:; font-src 'self'; connect-src 'self' data: blob: https://nanolytica.org https://www.google-analytics.com https://www.googletagmanager.com; worker-src 'self' blob:; media-src 'self' data:",
HSTSMaxAge: 31536000,
HSTSExcludeSubdomains: false,
}))
e.Use(session.Middleware(a.newSessionStore()))
e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
ContextKey: middleware.DefaultCSRFConfig.ContextKey,
TokenLookup: "header:X-CSRF-Token,form:_csrf",
CookieName: "_csrf",
CookiePath: "/",
CookieSameSite: func() http.SameSite {
return http.SameSiteLaxMode
}(),
CookieSecure: a.Config.CookieSecure,
Skipper: func(c echo.Context) bool {
path := c.Request().URL.Path
return strings.HasPrefix(path, "/api/analytics/") ||
path == "/admin/auth/google/callback"
},
ErrorHandler: func(err error, c echo.Context) error {
return c.String(http.StatusForbidden, "Forbidden")
},
}))
e.Use(middleware.AddTrailingSlashWithConfig(middleware.TrailingSlashConfig{
RedirectCode: http.StatusMovedPermanently,
Skipper: func(c echo.Context) bool {
path := c.Request().URL.Path
return strings.HasPrefix(path, "/public") ||
strings.HasPrefix(path, "/workbench") ||
strings.HasPrefix(path, "/api/") ||
strings.HasPrefix(path, "/admin/analytics/api/") ||
strings.HasPrefix(path, "/admin/analytics/fragments/") ||
path == "/admin/auth/google/callback" ||
path == "/sitemap.xml" || path == "/feed.xml" || path == "/robots.txt"
},
}))
e.Use(cacheControlMiddleware)
}
func cacheControlMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
path := c.Request().URL.Path
switch {
case strings.HasPrefix(path, "/public/"):
c.Response().Header().Set("Cache-Control", "public, max-age=31536000, immutable")
case path == "/sitemap.xml" || path == "/feed.xml" || path == "/robots.txt":
c.Response().Header().Set("Cache-Control", "public, max-age=86400")
case strings.HasPrefix(path, "/admin"):
c.Response().Header().Set("Cache-Control", "no-store")
default:
c.Response().Header().Set("Cache-Control", "public, max-age=3600")
}
return next(c)
}
}
func (a *App) newSessionStore() *sessions.CookieStore {
store := sessions.NewCookieStore([]byte(a.Config.SessionSecret))
store.Options = &sessions.Options{
Path: "/",
HttpOnly: true,
MaxAge: 60 * 60 * 12,
SameSite: http.SameSiteLaxMode,
Secure: a.Config.CookieSecure,
}
return store
}
// IsAdmin checks if the current session is authenticated.
func IsAdmin(c echo.Context) bool {
sess, err := session.Get(sessionName, c)
if err != nil {
return false
}
auth, ok := sess.Values["authenticated"].(bool)
return ok && auth
}
func setAdminSession(c echo.Context) error {
// session.Get always returns a usable session even when the existing
// cookie can't be decoded (e.g. secret changed). Ignore the decode error.
sess, _ := session.Get(sessionName, c)
sess.Values["authenticated"] = true
return sess.Save(c.Request(), c.Response())
}
func clearAdminSession(c echo.Context) error {
sess, _ := session.Get(sessionName, c)
sess.Options.MaxAge = -1
return sess.Save(c.Request(), c.Response())
}
// CsrfToken extracts the CSRF token from the Echo context.
func CsrfToken(c echo.Context) string {
token, _ := c.Get(middleware.DefaultCSRFConfig.ContextKey).(string)
return token
}