Skip to content

Instantly share code, notes, and snippets.

David Pennington Xeoncross

Block or report user

Report or block Xeoncross

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
Xeoncross / mock_http_client.go
Last active Aug 14, 2019
Simple wrapper to use for testing when you need a custom http.Client for faking network requests
View mock_http_client.go
type MockClient struct {
Body interface{}
DoFunc func(req *http.Request) (*http.Response, error)
func (m *MockClient) Do(req *http.Request) (*http.Response, error) {
if m.DoFunc != nil {
View use-local-storage-example.js
import { useState } from 'react';
// Usage
function App() {
// Similar to useState but first arg is key to the value in local storage.
const [name, setName] = useLocalStorage('name', 'Bob');
return (
View ApiProvider.tsx
import * as React from 'react';
import Axios, { AxiosInstance } from 'axios';
import { createContext, consume } from '../lib/context-utils';
import { AuthContext } from './AuthProvider';
export const ApiContext = createContext('apiContext', {
api: undefined as AxiosInstance | undefined,
auth: undefined as React.ContextType<typeof AuthContext> | undefined,
Xeoncross / use-auth.js
Created Aug 5, 2019 — forked from timc1/use-auth.js
React Context + Hooks + Firebase Authentication
View use-auth.js
import React from 'react'
import firebaseConfig from '../path/to/firebase-config'
import firebase from 'firebase/app'
import 'firebase/auth'
import FullPageLoading from '../path/to/full-page-loading'
AuthProvider.actions = {
setUser: 'SET_USER',
toggleLoading: 'TOGGLE_LOADING',
Xeoncross / config.js
Created Aug 4, 2019 — forked from mccahill/config.js
Example of a node OAuth (Twitter) and OAuth2 (Google Calendar) client that works with the version 3 Express framework. This assumes you have a config.js file holding the keys and secrets
View config.js
module.exports = {
'PORT': 80,
'TWITTER_CONSUMER_KEY': 'your-consumer-key-here',
'TWITTER_CONSUMER_SECRET': 'your-secret-here',
'GOOGLE_APP_ID': 'your-app-id-here',
'GOOGLE_CONSUMER_SECRET': 'your-consumer-secret-here',
Xeoncross /
Last active Aug 5, 2019
Breakdown of the different ways to handle OAuth flow for single-page apps like reactjs using backends on the same (or different) origin

I'm trying to handle OAuth from a react app. Rather than using an external service like Firebase or AuthO, I would like to handle OAuth login to facebook, google, twitter myself. (Regardless of the backend, OAuth libraries that can verify and trade the token for user info abound).

Here is the basic flow:

  1. React SPA opens seperate [popup/iframe/browser tab] to our server
  2. Our server creates OAuth URL payload and issues redirect to fb/google/twitter
  3. User login on fb/google/twitter redirect back to our server
  4. Our server communicates with React SPA 4.1. If same origin 4.1.1. Using localStorage
Xeoncross / fetchjson.js
Created Jul 27, 2019
Basica fetch() wrapper to make sure we always get a JSON response even if there is an error, or the server returns some other content type.
View fetchjson.js
// Look into wrapping fetch so it always returns JSON
export default function fetchjson(url, data, options) {
const defaults = {
// credentials: 'same-origin',
credentials: 'omit',
method: data ? 'post' : 'get',
headers: {
Accept: 'application/json, text/plain, */*',
'Content-Type': data ? 'application/json' : 'text/plain; charset=utf-8',
Xeoncross / dual_router_wrapper.go
Created Jul 23, 2019
Example of wrapping both Gorilla/Mux and httprouter while keeping route params in golang
View dual_router_wrapper.go
package main
import (
Xeoncross /
Created Jul 12, 2019
Thoughts about securing user sessions using a regular token or JWT along with a HTTPS httpOnly cookie

Secure Auth

A simple plan of avoiding both CSRF attacks and XSS attacks to steal sessions by combining the security of httpOnly cookies over HTTPS/TLS and a hashed token passed back by the client on every request.

The idea is simple, the token can be stolen, but cannot be used unless the attacker also has the secret from the cookie. Likewise, the cookie cannot be used unless the hashed token is also sent.

Since the cookie is httpOnly over HTTPS/TLS, the attacker will never be able to steal the session for use in another client. This means the only attack left is to get the victim to perform actions with a successful XSS attack that can load the hashed token from wherever it is stored (or use the same AJAX request functions), and then it can perform actions (CSRF) using the victims browser (only).

This might seem like only a partial win, but a hack allowing arbitrary Javascript to run on your clients browsers (XSS) leaves you with unavoidably big issues anyway. Both CORS and CSP headers are recommended

Xeoncross / cors_middleware.go
Created Jul 6, 2019
Simple CORS middleware for Go as a http.Handler
View cors_middleware.go
func HandlePreFlight(h http.HandlerFunc, methods ...string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
methods = append(methods, http.MethodOptions)
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Origin", config.APIAccessControlAllowOriginDomain)
w.Header().Set("Access-Control-Allow-Methods", strings.Join(methods, ", "))
w.Header().Set("Access-Control-Allow-Headers", "Accept, Accept-Endcoding, Content-Type, Content-Length, Authorization, X-CSRF-token")
w.Header().Set("Access-Control-Expose-Headers", "Session-Token")
You can’t perform that action at this time.