瀏覽代碼
check signature on redirect will extend matching leadID for oneday, as user might editing their info again and again within one day.
master
Patrick Peng Sun
8 年之前
共有 2 個檔案被更改,包括 45 行新增 和 34 行删除
+ 15
- 8
crmpixel.go
查看文件
| @@ -194,13 +194,6 @@ func crmpixelLead(id string) (info crmdLead, err error) { | |||
| //redirect user to a URL "/pages/dashboard" | |||
| // | |||
| func setTrackingCookieAndRecirect(w http.ResponseWriter, r *http.Request) { | |||
| //check signature and then perform redirect | |||
| if !checkSignatureByToken(r, IntraAPIConfig.CRMSecrete) { | |||
| response403Handler(w) | |||
| return | |||
| } | |||
| m, err := url.ParseQuery(r.URL.RawQuery) | |||
| if err != nil { | |||
| response400Handler(w) | |||
| @@ -213,8 +206,22 @@ func setTrackingCookieAndRecirect(w http.ResponseWriter, r *http.Request) { | |||
| return | |||
| } | |||
| //set cookie if any | |||
| //check request leadID - lid and my cookie lead id | |||
| leadID, ok := m["lid"] | |||
| myLeadID, found := getLeadIDFromCookie(r) //existing cookie | |||
| expireInSeconds := 120 //default 2minute | |||
| if found && ok && myLeadID == leadID[0] { //our cookie match the request lid | |||
| expireInSeconds = 86400 //extended to 1 day | |||
| } | |||
| //check signature, prevent unauthorized request | |||
| if !checkSignatureByTokenWithExpireSeconds(r, IntraAPIConfig.CRMSecrete, expireInSeconds) { | |||
| response403Handler(w) | |||
| return | |||
| } | |||
| //set cookie if any | |||
| if ok { | |||
| log.Println("setlead cookie :" + leadID[0]) | |||
| cookie := cookieFromLeadID(leadID[0]) | |||
+ 30
- 26
server.go
查看文件
| @@ -139,7 +139,7 @@ func checkSignature(r *http.Request) bool { | |||
| return checkSignatureByToken(r, APIConfig.Token) | |||
| } | |||
| func checkSignatureByToken(r *http.Request, token string) bool { | |||
| func checkSignatureByTokenWithExpireSeconds(r *http.Request, token string, expireSeconds int) bool { | |||
| rq := r.URL.RawQuery | |||
| m, _ := url.ParseQuery(rq) | |||
| @@ -148,33 +148,37 @@ func checkSignatureByToken(r *http.Request, token string) bool { | |||
| nonce, nok := m["nonce"] | |||
| token = strings.TrimSpace(token) | |||
| if sok && tok && nok && token != "" { | |||
| return verifySignature(signature[0], timestamp[0], nonce[0], token) | |||
| return verifySignature(signature[0], timestamp[0], nonce[0], token, expireSeconds) | |||
| } | |||
| return false | |||
| } | |||
| func checkCookieSignatureBytoken(r *http.Request, token string) bool { | |||
| signature := "" | |||
| nonce := "" | |||
| timestamp := "" | |||
| for _, c := range r.Cookies() { | |||
| switch c.Name { | |||
| case "signature": | |||
| signature = c.Value | |||
| case "nonce": | |||
| nonce = c.Value | |||
| case "timestamp": | |||
| timestamp = c.Value | |||
| } | |||
| } | |||
| if signature != "" && nonce != "" && timestamp != "" && token != "" { | |||
| return verifySignature(signature, timestamp, nonce, IntraAPIConfig.CRMSecrete) | |||
| } | |||
| return false | |||
| func checkSignatureByToken(r *http.Request, token string) bool { | |||
| return checkSignatureByTokenWithExpireSeconds(r, token, 180) //180=3minutes | |||
| } | |||
| func verifySignature(signature, timestamp, nonce, token string) bool { | |||
| if timestampTooOldStr(timestamp) { | |||
| // func checkCookieSignatureBytoken(r *http.Request, token string) bool { | |||
| // signature := "" | |||
| // nonce := "" | |||
| // timestamp := "" | |||
| // for _, c := range r.Cookies() { | |||
| // switch c.Name { | |||
| // case "signature": | |||
| // signature = c.Value | |||
| // case "nonce": | |||
| // nonce = c.Value | |||
| // case "timestamp": | |||
| // timestamp = c.Value | |||
| // } | |||
| // } | |||
| // if signature != "" && nonce != "" && timestamp != "" && token != "" { | |||
| // return verifySignature(signature, timestamp, nonce, IntraAPIConfig.CRMSecrete, expireSeconds) | |||
| // } | |||
| // return false | |||
| // } | |||
| func verifySignature(signature, timestamp, nonce, token string, expireSeconds int) bool { | |||
| if timestampTooOldStr(timestamp, expireSeconds) { | |||
| return false | |||
| } | |||
| return signature == calculateSignature(timestamp, nonce, token) | |||
| @@ -197,22 +201,22 @@ func strSHA1(s string) string { | |||
| return calculated | |||
| } | |||
| func timestampTooOldStr(timestamp string) bool { | |||
| func timestampTooOldStr(timestamp string, expireSeconds int) bool { | |||
| ts, err := strconv.Atoi(timestamp) | |||
| if err != nil { | |||
| return true | |||
| } | |||
| return timestampTooOld(int32(ts)) | |||
| return timestampTooOld(int32(ts), expireSeconds) | |||
| } | |||
| func timestampTooOld(ts int32) bool { | |||
| func timestampTooOld(ts int32, expireSeconds int) bool { | |||
| //diff > 3min from now | |||
| now := int32(time.Now().Unix()) | |||
| diff := now - ts | |||
| if diff < 0 { | |||
| diff = -diff | |||
| } | |||
| return diff > 180 //3 minutes, 180 seconds | |||
| return diff > int32(expireSeconds) //3 minutes, 180 seconds | |||
| } | |||
| func timestampOldThan(ts int32, sec int32) bool { | |||
Loading…