Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hooks for authboss routes. #221

Closed
frederikhors opened this issue Jan 11, 2019 · 3 comments
Closed

Hooks for authboss routes. #221

frederikhors opened this issue Jan 11, 2019 · 3 comments

Comments

@frederikhors
Copy link
Contributor

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#210).

I was wondering if there is a way to do something when a user reach, let's say, the route "/logout".

Use case:

I have many cookies and I need to delete all of them when I visit "/logout" (using ab.Config.Modules.LogoutMethod = "GET").

Now I don't know how to do because my router is:

r.Group(func(r chi.Router) {
	r.Use(auth.DataInjector)
	r.Use(authboss.ModuleListMiddleware(config.Ab))
	r.Mount(AUTH_URL, http.StripPrefix(AUTH_URL, config.Ab.Config.Core.Router))
})
  • Maybe I can wrap(something)?
  • Maybe a simple middleware which detects the right "/path"?
  • Can we call them "hooks"?

What is the best method?
@frederikhors frederikhors mentioned this issue Jan 11, 2019
Open
23 tasks
@aarondl
Copy link
Member

aarondl commented Jan 12, 2019

You can simply write a middleware to watch for the POST path. We could also add an AfterLogout event. We recently added some support for this in the dev branch with whitelisted session values.

@frederikhors
Copy link
Contributor Author

We could also add an AfterLogout event. We recently added some support for this in the dev branch with whitelisted session values.

Is there some docs about events?

What do you think about the below code for now?

I'm using RemoveCSRFCookie like this:

var (
	csrfCookie = &http.Cookie{
		Name:     "X-CSRF-Token",
		Path:     "/",
	}
)

...
r.Use(utility.Nosurfing, config.Ab.LoadClientStateMiddleware, remember.Middleware(config.Ab), utility.AddCSRFCookie)
...
r.Group(func(r chi.Router) {
	r.Use(auth.DataInjector, authboss.ModuleListMiddleware(config.Ab), utility.RemoveCSRFCookie)
	r.Mount(AUTH_URL, http.StripPrefix(AUTH_URL, config.Ab.Config.Core.Router))
})

func AddCSRFCookie(handler http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if userInter, err := config.Ab.LoadCurrentUser(&r); userInter != nil && err == nil {
			cookie := *csrfCookie
			cookie.Value = nosurf.Token(r)
			http.SetCookie(w, &cookie)
		}
		handler.ServeHTTP(w, r)
	})
}

func RemoveCSRFCookie(handler http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method == "GET" && strings.Contains(r.URL.Path, "/auth/logout") {
			cookie := *csrfCookie
			cookie.MaxAge = -1
			http.SetCookie(w, &cookie)
		}
		handler.ServeHTTP(w, r)
	})
}

@aarondl
Copy link
Member

aarondl commented Jan 20, 2019

I don't really understand why you'd want to remove the crsf cookie ever. But that code looks like it should work. There is only godocs available for events. See events.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aarondl @frederikhors