Merge pull request #14 from gobuffalo/no-content-type-constraint

No content type constraint

csrf.go

@@ -28,7 +28,6 @@ var (
 
 	// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.
 	safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
-	htmlTypes   = []string{"html", "form", "plain", "*/*"}
 )
 
 var (
@@ -60,15 +59,6 @@ var New = func(next buffalo.Handler) buffalo.Handler {
 	return func(c buffalo.Context) error {
 		req := c.Request()
 
-		ct := req.Header.Get("Content-Type")
-		if len(ct) == 0 {
-			ct = req.Header.Get("Accept")
-		}
-		// ignore non-html requests
-		if ct != "" && !contains(htmlTypes, ct) {
-			return next(c)
-		}
-
 		var realToken []byte
 		var err error
 		rawRealToken := c.Session().Get(tokenKey)
@@ -100,11 +90,11 @@ var New = func(next buffalo.Handler) buffalo.Handler {
 				// otherwise fails to parse.
 				referer, err := url.Parse(req.Referer())
 				if err != nil || referer.String() == "" {
-					return ErrNoReferer
+					return c.Error(http.StatusForbidden, ErrNoReferer)
 				}
 
 				if !sameOrigin(req.URL, referer) {
-					return ErrBadReferer
+					return c.Error(http.StatusForbidden, ErrBadReferer)
 				}
 			}
 
@@ -113,12 +103,12 @@ var New = func(next buffalo.Handler) buffalo.Handler {
 
 			// Missing token
 			if requestToken == nil {
-				return ErrNoToken
+				return c.Error(http.StatusForbidden, ErrNoToken)
 			}
 
 			// Compare tokens
 			if !compareTokens(requestToken, realToken) {
-				return ErrBadToken
+				return c.Error(http.StatusForbidden, ErrBadToken)
 			}
 		}
 

csrf_test.go

@@ -1,6 +1,7 @@
 package csrf_test
 
 import (
+	"net/http"
 	"os"
 	"testing"
 
@@ -52,11 +53,12 @@ func Test_CSRFOnJSONRequest(t *testing.T) {
 
 	// Test missing token case
 	res := w.HTML("/csrf").Post("")
-	r.Equal(500, res.Code)
+	r.Equal(http.StatusForbidden, res.Code)
 	r.Contains(res.Body.String(), "CSRF token not found in request")
 
 	rs := w.JSON("/csrf").Post("")
-	r.Equal(420, rs.Code)
+	r.Equal(http.StatusForbidden, rs.Code)
+	r.Contains(res.Body.String(), "CSRF token not found in request")
 }
 
 func Test_CSRF_TestMode(t *testing.T) {
@@ -83,14 +85,14 @@ func Test_CSRFOnEditingAction(t *testing.T) {
 
 	// Test missing token case
 	res := w.HTML("/csrf").Post("")
-	r.Equal(500, res.Code)
+	r.Equal(http.StatusForbidden, res.Code)
 	r.Contains(res.Body.String(), "CSRF token not found in request")
 
 	// Test provided bad token through Header case
 	req := w.HTML("/csrf")
 	req.Headers["X-CSRF-Token"] = "test-token"
 	res = req.Post("")
-	r.Equal(500, res.Code)
+	r.Equal(http.StatusForbidden, res.Code)
 	r.Contains(res.Body.String(), "CSRF token not found in request")
 
 	// Test provided good token through Header case

go.mod

@@ -3,8 +3,8 @@ module github.com/gobuffalo/mw-csrf
 go 1.16
 
 require (
-	github.com/gobuffalo/buffalo v0.18.9
-	github.com/gobuffalo/envy v1.10.1
-	github.com/gobuffalo/httptest v1.5.1
-	github.com/stretchr/testify v1.8.0
+	github.com/gobuffalo/buffalo v1.1.0
+	github.com/gobuffalo/envy v1.10.2
+	github.com/gobuffalo/httptest v1.5.2
+	github.com/stretchr/testify v1.8.1
 )