David Pennington Xeoncross

## mock_http_client.go
// https://golang.org/pkg/net/http/#Client

type MockClient struct {
	Body   interface{}
	DoFunc func(req *http.Request) (*http.Response, error)
}

func (m *MockClient) Do(req *http.Request) (*http.Response, error) {

	if m.DoFunc != nil {

## use-local-storage-example.js
import { useState } from 'react';

// Usage
function App() {
  // Similar to useState but first arg is key to the value in local storage.
  const [name, setName] = useLocalStorage('name', 'Bob');

  return (
    <div>
      <input

## ApiProvider.tsx
import * as React from 'react';
import Axios, { AxiosInstance } from 'axios';
import { createContext, consume } from '../lib/context-utils';
import { AuthContext } from './AuthProvider';

export const ApiContext = createContext('apiContext', {
  api: undefined as AxiosInstance | undefined,
  auth: undefined as React.ContextType<typeof AuthContext> | undefined,
})

## use-auth.js
import React from 'react'
import firebaseConfig from '../path/to/firebase-config'
import firebase from 'firebase/app'
import 'firebase/auth'
import FullPageLoading from '../path/to/full-page-loading'

AuthProvider.actions = {
  setUser: 'SET_USER',
  toggleLoading: 'TOGGLE_LOADING',
}

## config.js
module.exports = {
  'HOSTPATH': 'http://your.host.here',
  'PORT': 80,
  'EXPRESS_SESSION_SECRET': '123456',
  'TWITTER_CONSUMER_KEY': 'your-consumer-key-here',
  'TWITTER_CONSUMER_SECRET': 'your-secret-here',
  'GOOGLE_APP_ID': 'your-app-id-here',
  'GOOGLE_CONSUMER_SECRET': 'your-consumer-secret-here',
};

## react_oauth_flow.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                Xeoncross
                / react_oauth_flow.md
            
            
              Last active Aug 5, 2019
            
              
                Breakdown of the different ways to handle OAuth flow for single-page apps like reactjs using backends on the same (or different) origin
              
          
      View react_oauth_flow.md
  
    
    I'm trying to handle OAuth from a react app. Rather than using an external service like Firebase or AuthO, I would like to handle OAuth login to facebook, google, twitter myself. (Regardless of the backend, OAuth libraries that can verify and trade the token for user info abound).
Here is the basic flow:

React SPA opens seperate [popup/iframe/browser tab] to our server
Our server creates OAuth URL payload and issues redirect to fb/google/twitter
User login on fb/google/twitter redirect back to our server
Our server communicates with React SPA
4.1. If same origin
4.1.1. Using localStorage


## fetchjson.js
// Look into wrapping fetch so it always returns JSON
export default function fetchjson(url, data, options) {

  const defaults = {
     // credentials: 'same-origin',
     credentials: 'omit',
     method: data ? 'post' : 'get',
     headers: {
       Accept: 'application/json, text/plain, */*',
       'Content-Type': data ? 'application/json' : 'text/plain; charset=utf-8',

## dual_router_wrapper.go
package main

import (
	"net/http"
	"reflect"

	"github.com/gorilla/mux"
	"github.com/julienschmidt/httprouter"
)

## go-secure-auth.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Xeoncross
                / go-secure-auth.md
            
            
              Created Jul 12, 2019
            
              
                Thoughts about securing user sessions using a regular token or JWT along with a HTTPS httpOnly cookie
              
          
      View go-secure-auth.md
  
    
    Secure Auth
A simple plan of avoiding both CSRF attacks and XSS attacks to steal sessions by combining the security of httpOnly cookies over HTTPS/TLS and a hashed token passed back by the client on every request.
The idea is simple, the token can be stolen, but cannot be used unless the attacker also has the secret from the cookie. Likewise, the cookie cannot be used unless the hashed token is also sent.
Since the cookie is httpOnly over HTTPS/TLS, the attacker will never be able to steal the session for use in another client. This means the only attack left is to get the victim to perform actions with a successful XSS attack that can load the hashed token from wherever it is stored (or use the same AJAX request functions), and then it can perform actions (CSRF) using the victims browser (only).
This might seem like only a partial win, but a hack allowing arbitrary Javascript to run on your clients browsers (XSS) leaves you with unavoidably big issues anyway. Both CORS and CSP headers are recommended

  
## cors_middleware.go
func HandlePreFlight(h http.HandlerFunc, methods ...string) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        methods = append(methods, http.MethodOptions)
        w.Header().Set("Content-Type", "application/json")
        w.Header().Set("Access-Control-Allow-Credentials", "true")
        w.Header().Set("Access-Control-Allow-Origin", config.APIAccessControlAllowOriginDomain)
        w.Header().Set("Access-Control-Allow-Methods", strings.Join(methods, ", "))
        w.Header().Set("Access-Control-Allow-Headers", "Accept, Accept-Endcoding, Content-Type, Content-Length, Authorization, X-CSRF-token")
        w.Header().Set("Access-Control-Expose-Headers", "Session-Token")