MVP, no mod tools or anything but it works

vendor/github.com/justinas/nosurf/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Justinas Stankevicius
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

vendor/github.com/justinas/nosurf/README.md

@@ -0,0 +1,125 @@
+# nosurf
+
+[![Build Status](https://travis-ci.org/justinas/nosurf.svg?branch=master)](https://travis-ci.org/justinas/nosurf)
+[![GoDoc](http://godoc.org/github.com/justinas/nosurf?status.png)](http://godoc.org/github.com/justinas/nosurf)
+
+`nosurf` is an HTTP package for Go
+that helps you prevent Cross-Site Request Forgery attacks.
+It acts like a middleware and therefore 
+is compatible with basically any Go HTTP application.
+
+### Why?
+Even though CSRF is a prominent vulnerability,
+Go's web-related package infrastructure mostly consists of
+micro-frameworks that neither do implement CSRF checks,
+nor should they.
+
+`nosurf` solves this problem by providing a `CSRFHandler`
+that wraps your `http.Handler` and checks for CSRF attacks
+on every non-safe (non-GET/HEAD/OPTIONS/TRACE) method.
+
+`nosurf` requires Go 1.1 or later.
+
+### Features
+
+* Supports any `http.Handler` (frameworks, your own handlers, etc.)
+and acts like one itself.
+* Allows exempting specific endpoints from CSRF checks by
+an exact URL, a glob, or a regular expression.
+* Allows specifying your own failure handler. 
+Want to present the hacker with an ASCII middle finger
+instead of the plain old `HTTP 400`? No problem.
+* Uses masked tokens to mitigate the BREACH attack.
+* Has no dependencies outside the Go standard library.
+
+### Example
+```go
+package main
+
+import (
+	"fmt"
+	"github.com/justinas/nosurf"
+	"html/template"
+	"net/http"
+)
+
+var templateString string = `
+<!doctype html>
+<html>
+<body>
+{{ if .name }}
+<p>Your name: {{ .name }}</p>
+{{ end }}
+<form action="/" method="POST">
+<input type="text" name="name">
+
+<!-- Try removing this or changing its value
+     and see what happens -->
+<input type="hidden" name="csrf_token" value="{{ .token }}">
+<input type="submit" value="Send">
+</form>
+</body>
+</html>
+`
+var templ = template.Must(template.New("t1").Parse(templateString))
+
+func myFunc(w http.ResponseWriter, r *http.Request) {
+	context := make(map[string]string)
+	context["token"] = nosurf.Token(r)
+	if r.Method == "POST" {
+		context["name"] = r.FormValue("name")
+	}
+	
+	templ.Execute(w, context)
+}
+
+func main() {
+	myHandler := http.HandlerFunc(myFunc)
+	fmt.Println("Listening on http://127.0.0.1:8000/")
+	http.ListenAndServe(":8000", nosurf.New(myHandler))
+}
+```
+
+### Manual token verification
+In some cases the CSRF token may be send through a non standard way,
+e.g. a body or request is a JSON encoded message with one of the fields
+being a token.
+
+In such case the handler(path) should be excluded from an automatic
+verification by using one of the exemption methods:
+
+```go
+	func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool)
+	func (h *CSRFHandler) ExemptGlob(pattern string)
+	func (h *CSRFHandler) ExemptGlobs(patterns ...string)
+	func (h *CSRFHandler) ExemptPath(path string)
+	func (h *CSRFHandler) ExemptPaths(paths ...string)
+	func (h *CSRFHandler) ExemptRegexp(re interface{})
+	func (h *CSRFHandler) ExemptRegexps(res ...interface{})
+```
+
+Later on, the token **must** be verified by manually getting the token from the cookie
+and providing the token sent in body through: `VerifyToken(tkn, tkn2 string) bool`.
+
+Example:
+```go
+func HandleJson(w http.ResponseWriter, r *http.Request) {
+	d := struct{
+		X,Y int
+		Tkn string
+	}{}
+	json.Unmarshal(ioutil.ReadAll(r.Body), &d)
+	if !nosurf.VerifyToken(Token(r), d.Tkn) {
+		http.Errorf(w, "CSRF token incorrect", http.StatusBadRequest)
+		return
+	}
+	// do smth cool
+}
+```
+
+### Contributing
+
+0. Find an issue that bugs you / open a new one.
+1. Discuss.
+2. Branch off, commit, test.
+3. Make a pull request / attach the commits to the issue.

vendor/github.com/justinas/nosurf/context.go

@@ -0,0 +1,60 @@
+// +build go1.7
+
+package nosurf
+
+import "net/http"
+
+type ctxKey int
+
+const (
+	nosurfKey ctxKey = iota
+)
+
+type csrfContext struct {
+	// The masked, base64 encoded token
+	// That's suitable for use in form fields, etc.
+	token string
+	// reason for the failure of CSRF check
+	reason error
+}
+
+// Token takes an HTTP request and returns
+// the CSRF token for that request
+// or an empty string if the token does not exist.
+//
+// Note that the token won't be available after
+// CSRFHandler finishes
+// (that is, in another handler that wraps it,
+// or after the request has been served)
+func Token(req *http.Request) string {
+	ctx := req.Context().Value(nosurfKey).(*csrfContext)
+
+	return ctx.token
+}
+
+// Reason takes an HTTP request and returns
+// the reason of failure of the CSRF check for that request
+//
+// Note that the same availability restrictions apply for Reason() as for Token().
+func Reason(req *http.Request) error {
+	ctx := req.Context().Value(nosurfKey).(*csrfContext)
+
+	return ctx.reason
+}
+
+func ctxClear(_ *http.Request) {
+}
+
+func ctxSetToken(req *http.Request, token []byte) {
+	ctx := req.Context().Value(nosurfKey).(*csrfContext)
+	ctx.token = b64encode(maskToken(token))
+}
+
+func ctxSetReason(req *http.Request, reason error) {
+	ctx := req.Context().Value(nosurfKey).(*csrfContext)
+	if ctx.token == "" {
+		panic("Reason should never be set when there's no token in the context yet.")
+	}
+
+	ctx.reason = reason
+}

vendor/github.com/justinas/nosurf/context_legacy.go

@@ -0,0 +1,101 @@
+// +build !go1.7
+
+package nosurf
+
+import (
+	"net/http"
+	"sync"
+)
+
+// This file implements a context similar to one found
+// in gorilla/context, but tailored specifically for our use case
+// and not using gorilla's package just because.
+
+type csrfContext struct {
+	// The masked, base64 encoded token
+	// That's suitable for use in form fields, etc.
+	token string
+	// reason for the failure of CSRF check
+	reason error
+}
+
+var (
+	contextMap = make(map[*http.Request]*csrfContext)
+	cmMutex    = new(sync.RWMutex)
+)
+
+// Token() takes an HTTP request and returns
+// the CSRF token for that request
+// or an empty string if the token does not exist.
+//
+// Note that the token won't be available after
+// CSRFHandler finishes
+// (that is, in another handler that wraps it,
+// or after the request has been served)
+func Token(req *http.Request) string {
+	cmMutex.RLock()
+	defer cmMutex.RUnlock()
+
+	ctx, ok := contextMap[req]
+
+	if !ok {
+		return ""
+	}
+
+	return ctx.token
+}
+
+// Reason() takes an HTTP request and returns
+// the reason of failure of the CSRF check for that request
+//
+// Note that the same availability restrictions apply for Reason() as for Token().
+func Reason(req *http.Request) error {
+	cmMutex.RLock()
+	defer cmMutex.RUnlock()
+
+	ctx, ok := contextMap[req]
+
+	if !ok {
+		return nil
+	}
+
+	return ctx.reason
+}
+
+// Takes a raw token, masks it with a per-request key,
+// encodes in base64 and makes it available to the wrapped handler
+func ctxSetToken(req *http.Request, token []byte) *http.Request {
+	cmMutex.Lock()
+	defer cmMutex.Unlock()
+
+	ctx, ok := contextMap[req]
+	if !ok {
+		ctx = new(csrfContext)
+		contextMap[req] = ctx
+	}
+
+	ctx.token = b64encode(maskToken(token))
+
+	return req
+}
+
+func ctxSetReason(req *http.Request, reason error) *http.Request {
+	cmMutex.Lock()
+	defer cmMutex.Unlock()
+
+	ctx, ok := contextMap[req]
+	if !ok {
+		panic("Reason should never be set when there's no token" +
+			" (context) yet.")
+	}
+
+	ctx.reason = reason
+	return req
+}
+
+func ctxClear(req *http.Request) {
+	cmMutex.Lock()
+	defer cmMutex.Unlock()
+
+	delete(contextMap, req)
+}

vendor/github.com/justinas/nosurf/crypto.go

@@ -0,0 +1,54 @@
+package nosurf
+
+import (
+	"crypto/rand"
+	"io"
+)
+
+// Masks/unmasks the given data *in place*
+// with the given key
+// Slices must be of the same length, or oneTimePad will panic
+func oneTimePad(data, key []byte) {
+	n := len(data)
+	if n != len(key) {
+		panic("Lengths of slices are not equal")
+	}
+
+	for i := 0; i < n; i++ {
+		data[i] ^= key[i]
+	}
+}
+
+func maskToken(data []byte) []byte {
+	if len(data) != tokenLength {
+		return nil
+	}
+
+	// tokenLength*2 == len(enckey + token)
+	result := make([]byte, 2*tokenLength)
+	// the first half of the result is the OTP
+	// the second half is the masked token itself
+	key := result[:tokenLength]
+	token := result[tokenLength:]
+	copy(token, data)
+
+	// generate the random token
+	if _, err := io.ReadFull(rand.Reader, key); err != nil {
+		panic(err)
+	}
+
+	oneTimePad(token, key)
+	return result
+}
+
+func unmaskToken(data []byte) []byte {
+	if len(data) != tokenLength*2 {
+		return nil
+	}
+
+	key := data[:tokenLength]
+	token := data[tokenLength:]
+	oneTimePad(token, key)
+
+	return token
+}

vendor/github.com/justinas/nosurf/exempt.go

@@ -0,0 +1,108 @@
+package nosurf
+
+import (
+	"fmt"
+	"net/http"
+	pathModule "path"
+	"reflect"
+	"regexp"
+)
+
+// Checks if the given request is exempt from CSRF checks.
+// It checks the ExemptFunc first, then the exact paths,
+// then the globs and finally the regexps.
+func (h *CSRFHandler) IsExempt(r *http.Request) bool {
+	if h.exemptFunc != nil && h.exemptFunc(r) {
+		return true
+	}
+
+	path := r.URL.Path
+	if sContains(h.exemptPaths, path) {
+		return true
+	}
+
+	// then the globs
+	for _, glob := range h.exemptGlobs {
+		matched, err := pathModule.Match(glob, path)
+		if matched && err == nil {
+			return true
+		}
+	}
+
+	// finally, the regexps
+	for _, re := range h.exemptRegexps {
+		if re.MatchString(path) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Exempts an exact path from CSRF checks
+// With this (and other Exempt* methods)
+// you should take note that Go's paths
+// include a leading slash.
+func (h *CSRFHandler) ExemptPath(path string) {
+	h.exemptPaths = append(h.exemptPaths, path)
+}
+
+// A variadic argument version of ExemptPath()
+func (h *CSRFHandler) ExemptPaths(paths ...string) {
+	for _, v := range paths {
+		h.ExemptPath(v)
+	}
+}
+
+// Exempts URLs that match the specified glob pattern
+// (as used by filepath.Match()) from CSRF checks
+//
+// Note that ExemptGlob() is unable to detect syntax errors,
+// because it doesn't have a path to check it against
+// and filepath.Match() doesn't report an error
+// if the path is empty.
+// If we find a way to check the syntax, ExemptGlob
+// MIGHT PANIC on a syntax error in the future.
+// ALWAYS check your globs for syntax errors.
+func (h *CSRFHandler) ExemptGlob(pattern string) {
+	h.exemptGlobs = append(h.exemptGlobs, pattern)
+}
+
+// A variadic argument version of ExemptGlob()
+func (h *CSRFHandler) ExemptGlobs(patterns ...string) {
+	for _, v := range patterns {
+		h.ExemptGlob(v)
+	}
+}
+
+// Accepts a regular expression string or a compiled *regexp.Regexp
+// and exempts URLs that match it from CSRF checks.
+//
+// If the given argument is neither of the accepted values,
+// or the given string fails to compile, ExemptRegexp() panics.
+func (h *CSRFHandler) ExemptRegexp(re interface{}) {
+	var compiled *regexp.Regexp
+
+	switch re.(type) {
+	case string:
+		compiled = regexp.MustCompile(re.(string))
+	case *regexp.Regexp:
+		compiled = re.(*regexp.Regexp)
+	default:
+		err := fmt.Sprintf("%v isn't a valid type for ExemptRegexp()", reflect.TypeOf(re))
+		panic(err)
+	}
+
+	h.exemptRegexps = append(h.exemptRegexps, compiled)
+}
+
+// A variadic argument version of ExemptRegexp()
+func (h *CSRFHandler) ExemptRegexps(res ...interface{}) {
+	for _, v := range res {
+		h.ExemptRegexp(v)
+	}
+}
+
+func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool) {
+	h.exemptFunc = fn
+}

vendor/github.com/justinas/nosurf/handler.go

@@ -0,0 +1,220 @@
+// Package nosurf implements an HTTP handler that
+// mitigates Cross-Site Request Forgery Attacks.
+package nosurf
+
+import (
+	"errors"
+	"net/http"
+	"net/url"
+	"regexp"
+)
+
+const (
+	// the name of CSRF cookie
+	CookieName = "csrf_token"
+	// the name of the form field
+	FormFieldName = "csrf_token"
+	// the name of CSRF header
+	HeaderName = "X-CSRF-Token"
+	// the HTTP status code for the default failure handler
+	FailureCode = 400
+
+	// Max-Age in seconds for the default base cookie. 365 days.
+	MaxAge = 365 * 24 * 60 * 60
+)
+
+var safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
+
+// reasons for CSRF check failures
+var (
+	ErrNoReferer  = errors.New("A secure request contained no Referer or its value was malformed")
+	ErrBadReferer = errors.New("A secure request's Referer comes from a different Origin" +
+		" from the request's URL")
+	ErrBadToken = errors.New("The CSRF token in the cookie doesn't match the one" +
+		" received in a form/header.")
+)
+
+type CSRFHandler struct {
+	// Handlers that CSRFHandler wraps.
+	successHandler http.Handler
+	failureHandler http.Handler
+
+	// The base cookie that CSRF cookies will be built upon.
+	// This should be a better solution of customizing the options
+	// than a bunch of methods SetCookieExpiration(), etc.
+	baseCookie http.Cookie
+
+	// Slices of paths that are exempt from CSRF checks.
+	// They can be specified by...
+	// ...an exact path,
+	exemptPaths []string
+	// ...a regexp,
+	exemptRegexps []*regexp.Regexp
+	// ...or a glob (as used by path.Match()).
+	exemptGlobs []string
+	// ...or a custom matcher function
+	exemptFunc func(r *http.Request) bool
+
+	// All of those will be matched against Request.URL.Path,
+	// So they should take the leading slash into account
+}
+
+func defaultFailureHandler(w http.ResponseWriter, r *http.Request) {
+	http.Error(w, "", FailureCode)
+}
+
+// Extracts the "sent" token from the request
+// and returns an unmasked version of it
+func extractToken(r *http.Request) []byte {
+	var sentToken string
+
+	// Prefer the header over form value
+	sentToken = r.Header.Get(HeaderName)
+
+	// Then POST values
+	if len(sentToken) == 0 {
+		sentToken = r.PostFormValue(FormFieldName)
+	}
+
+	// If all else fails, try a multipart value.
+	// PostFormValue() will already have called ParseMultipartForm()
+	if len(sentToken) == 0 && r.MultipartForm != nil {
+		vals := r.MultipartForm.Value[FormFieldName]
+		if len(vals) != 0 {
+			sentToken = vals[0]
+		}
+	}
+
+	return b64decode(sentToken)
+}
+
+// Constructs a new CSRFHandler that calls
+// the specified handler if the CSRF check succeeds.
+func New(handler http.Handler) *CSRFHandler {
+	baseCookie := http.Cookie{}
+	baseCookie.MaxAge = MaxAge
+
+	csrf := &CSRFHandler{successHandler: handler,
+		failureHandler: http.HandlerFunc(defaultFailureHandler),
+		baseCookie:     baseCookie,
+	}
+
+	return csrf
+}
+
+// The same as New(), but has an interface return type.
+func NewPure(handler http.Handler) http.Handler {
+	return New(handler)
+}
+
+func (h *CSRFHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	r = addNosurfContext(r)
+	defer ctxClear(r)
+	w.Header().Add("Vary", "Cookie")
+
+	var realToken []byte
+
+	tokenCookie, err := r.Cookie(CookieName)
+	if err == nil {
+		realToken = b64decode(tokenCookie.Value)
+	}
+
+	// If the length of the real token isn't what it should be,
+	// it has either been tampered with,
+	// or we're migrating onto a new algorithm for generating tokens,
+	// or it hasn't ever been set so far.
+	// In any case of those, we should regenerate it.
+	//
+	// As a consequence, CSRF check will fail when comparing the tokens later on,
+	// so we don't have to fail it just yet.
+	if len(realToken) != tokenLength {
+		h.RegenerateToken(w, r)
+	} else {
+		ctxSetToken(r, realToken)
+	}
+
+	if sContains(safeMethods, r.Method) || h.IsExempt(r) {
+		// short-circuit with a success for safe methods
+		h.handleSuccess(w, r)
+		return
+	}
+
+	// if the request is secure, we enforce origin check
+	// for referer to prevent MITM of http->https requests
+	if r.URL.Scheme == "https" {
+		referer, err := url.Parse(r.Header.Get("Referer"))
+
+		// if we can't parse the referer or it's empty,
+		// we assume it's not specified
+		if err != nil || referer.String() == "" {
+			ctxSetReason(r, ErrNoReferer)
+			h.handleFailure(w, r)
+			return
+		}
+
+		// if the referer doesn't share origin with the request URL,
+		// we have another error for that
+		if !sameOrigin(referer, r.URL) {
+			ctxSetReason(r, ErrBadReferer)
+			h.handleFailure(w, r)
+			return
+		}
+	}
+
+	// Finally, we check the token itself.
+	sentToken := extractToken(r)
+
+	if !verifyToken(realToken, sentToken) {
+		ctxSetReason(r, ErrBadToken)
+		h.handleFailure(w, r)
+		return
+	}
+
+	// Everything else passed, handle the success.
+	h.handleSuccess(w, r)
+}
+
+// handleSuccess simply calls the successHandler.
+// Everything else, like setting a token in the context
+// is taken care of by h.ServeHTTP()
+func (h *CSRFHandler) handleSuccess(w http.ResponseWriter, r *http.Request) {
+	h.successHandler.ServeHTTP(w, r)
+}
+
+// Same applies here: h.ServeHTTP() sets the failure reason, the token,
+// and only then calls handleFailure()
+func (h *CSRFHandler) handleFailure(w http.ResponseWriter, r *http.Request) {
+	h.failureHandler.ServeHTTP(w, r)
+}
+
+// Generates a new token, sets it on the given request and returns it
+func (h *CSRFHandler) RegenerateToken(w http.ResponseWriter, r *http.Request) string {
+	token := generateToken()
+	h.setTokenCookie(w, r, token)
+
+	return Token(r)
+}
+
+func (h *CSRFHandler) setTokenCookie(w http.ResponseWriter, r *http.Request, token []byte) {
+	// ctxSetToken() does the masking for us
+	ctxSetToken(r, token)
+
+	cookie := h.baseCookie
+	cookie.Name = CookieName
+	cookie.Value = b64encode(token)
+
+	http.SetCookie(w, &cookie)
+
+}
+
+// Sets the handler to call in case the CSRF check
+// fails. By default it's defaultFailureHandler.
+func (h *CSRFHandler) SetFailureHandler(handler http.Handler) {
+	h.failureHandler = handler
+}
+
+// Sets the base cookie to use when building a CSRF token cookie
+// This way you can specify the Domain, Path, HttpOnly, Secure, etc.
+func (h *CSRFHandler) SetBaseCookie(cookie http.Cookie) {
+	h.baseCookie = cookie
+}

vendor/github.com/justinas/nosurf/handler_go17.go

@@ -0,0 +1,12 @@
+// +build go1.7
+
+package nosurf
+
+import (
+	"context"
+	"net/http"
+)
+
+func addNosurfContext(r *http.Request) *http.Request {
+	return r.WithContext(context.WithValue(r.Context(), nosurfKey, &csrfContext{}))
+}

vendor/github.com/justinas/nosurf/handler_legacy.go

@@ -0,0 +1,9 @@
+// +build !go1.7
+
+package nosurf
+
+import "net/http"
+
+func addNosurfContext(r *http.Request) *http.Request {
+	return r
+}

vendor/github.com/justinas/nosurf/token.go

@@ -0,0 +1,105 @@
+package nosurf
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"io"
+)
+
+const (
+	tokenLength = 32
+)
+
+/*
+There are two types of tokens.
+
+* The unmasked "real" token consists of 32 random bytes.
+  It is stored in a cookie (base64-encoded) and it's the
+  "reference" value that sent tokens get compared to.
+
+* The masked "sent" token consists of 64 bytes:
+  32 byte key used for one-time pad masking and
+  32 byte "real" token masked with the said key.
+  It is used as a value (base64-encoded as well)
+  in forms and/or headers.
+
+Upon processing, both tokens are base64-decoded
+and then treated as 32/64 byte slices.
+*/
+
+// A token is generated by returning tokenLength bytes
+// from crypto/rand
+func generateToken() []byte {
+	bytes := make([]byte, tokenLength)
+
+	if _, err := io.ReadFull(rand.Reader, bytes); err != nil {
+		panic(err)
+	}
+
+	return bytes
+}
+
+func b64encode(data []byte) string {
+	return base64.StdEncoding.EncodeToString(data)
+}
+
+func b64decode(data string) []byte {
+	decoded, err := base64.StdEncoding.DecodeString(data)
+	if err != nil {
+		return nil
+	}
+	return decoded
+}
+
+// VerifyToken verifies the sent token equals the real one
+// and returns a bool value indicating if tokens are equal.
+// Supports masked tokens. realToken comes from Token(r) and
+// sentToken is token sent unusual way.
+func VerifyToken(realToken, sentToken string) bool {
+	r := b64decode(realToken)
+	if len(r) == 2*tokenLength {
+		r = unmaskToken(r)
+	}
+	s := b64decode(sentToken)
+	if len(s) == 2*tokenLength {
+		s = unmaskToken(s)
+	}
+	return subtle.ConstantTimeCompare(r, s) == 1
+}
+
+func verifyToken(realToken, sentToken []byte) bool {
+	realN := len(realToken)
+	sentN := len(sentToken)
+
+	// sentN == tokenLength means the token is unmasked
+	// sentN == 2*tokenLength means the token is masked.
+
+	if realN == tokenLength && sentN == 2*tokenLength {
+		return verifyMasked(realToken, sentToken)
+	} else {
+		return false
+	}
+}
+
+// Verifies the masked token
+func verifyMasked(realToken, sentToken []byte) bool {
+	sentPlain := unmaskToken(sentToken)
+	return subtle.ConstantTimeCompare(realToken, sentPlain) == 1
+}
+
+func checkForPRNG() {
+	// Check that cryptographically secure PRNG is available
+	// In case it's not, panic.
+	buf := make([]byte, 1)
+	_, err := io.ReadFull(rand.Reader, buf)
+
+	if err != nil {
+		panic(fmt.Sprintf("crypto/rand is unavailable: Read() failed with %#v", err))
+	}
+}
+
+func init() {
+	checkForPRNG()
+}

vendor/github.com/justinas/nosurf/utils.go

@@ -0,0 +1,25 @@
+package nosurf
+
+import (
+	"net/url"
+)
+
+func sContains(slice []string, s string) bool {
+	// checks if the given slice contains the given string
+	for _, v := range slice {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
+
+// Checks if the given URLs have the same origin
+// (that is, they share the host, the port and the scheme)
+func sameOrigin(u1, u2 *url.URL) bool {
+	// we take pointers, as url.Parse() returns a pointer
+	// and http.Request.URL is a pointer as well
+
+	// Host is either host or host:port
+	return (u1.Scheme == u2.Scheme && u1.Host == u2.Host)
+}