Skip to content

Releases: goji/csrf

v1.3

24 Feb 15:34
Compare
Choose a tag to compare

v1.3 includes an important security fix for users of Go 1.2 (Debian <=7, Ubuntu <=14.10, etc.). This would cause token comparison to fail: https://groups.google.com/forum/#!topic/gojiberries/bJuFtlhjVqM

CHANGELOG:

  • [bugfix] Token comparison could fail on versions of Go < 1.3.
  • [ci] Updated Travis to use matrix builds.

v2.0.0-beta1 with net/context support

14 Dec 21:19
Compare
Choose a tag to compare
Pre-release

The v2.0.0-beta1 will likely be released under a standalone repo—nominally ctxcsrf—at some point in the near future.

BREAKING:

  • Now supports net/context's context.Context interface as the underlying request context, moving away from Goji v1's web.C
  • Broadly compatible with any application that supports the goji.Handler interface, which simply requires a ServeHTTPC(context.Context, http.ResponseWriter, *http.Request) method.
  • ErrorHandler now accepts a goji.Handler
  • Removed support for Go 1.4

Most of these changes align with Goji v2, which embraces context.Context in full.

HOW-TO:

The major changes you'll need to make in your application:

// Supports this signature if you cast it to a goji.HandlerFunc, or supply a `ServeHTTPC` method on your type
- func(web.C, http.ResponseWriter, *http.Request)
+ func(context.Context, http.ResponseWriter, *http.Request)

// Change from web.C to context.Context when retrieving tokens
- csrf.Token(c, r)
+ csrf.Token(ctx, r)

// If you're using Goji, apply the middleware to a context-aware method
- mux.Use(csrf.Protect([]byte(key)))
+ mux.UseC(csrf.Protect([]byte(key)))