lint fixes

elisasre · Dec 9, 2023 · 38ea4f6 · 38ea4f6
1 parent 73bf171
commit 38ea4f6
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/csrf.go b/csrf.go
@@ -20,6 +20,8 @@ const (
 	Xcsrf = "X-CSRF-Token"
 	// Authorization is the header name which contains the token.
 	Authorization = "Authorization"
+
+	https = "https"
 )
 
 var ignoreMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
@@ -103,7 +105,7 @@ func CSRF(excludePaths []string) gin.HandlerFunc {
 				return
 			}
 
-			if parsedURL.Scheme != "https" {
+			if parsedURL.Scheme != https {
 				c.JSON(403, ErrorResponse{Code: 403, Message: insecureReferer})
 				c.Abort()
 				return

diff --git a/csrf_test.go b/csrf_test.go
@@ -76,7 +76,7 @@ func TestCSRFNoRefererSucceeded(t *testing.T) {
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("POST", "/ping", nil)
 	req.Header.Add(Xcsrf, "foobar")
-	req.Header.Add("X-Forwarded-Proto", "https")
+	req.Header.Add("X-Forwarded-Proto", https)
 	req.AddCookie(&http.Cookie{Name: CsrfTokenKey, Value: "foobar"})
 	r.ServeHTTP(w, req)
 	assert.Equal(t, 403, w.Code)
@@ -88,7 +88,7 @@ func TestCSRFRefererInvalidURL(t *testing.T) {
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("POST", "/ping", nil)
 	req.Header.Add(Xcsrf, "foobar")
-	req.Header.Add("X-Forwarded-Proto", "https")
+	req.Header.Add("X-Forwarded-Proto", https)
 	req.Header.Add("Referer", "foo")
 	req.AddCookie(&http.Cookie{Name: CsrfTokenKey, Value: "foobar"})
 	r.ServeHTTP(w, req)
@@ -101,7 +101,7 @@ func TestCSRFRefererHTTPURL(t *testing.T) {
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("POST", "/ping", nil)
 	req.Header.Add(Xcsrf, "foobar")
-	req.Header.Add("X-Forwarded-Proto", "https")
+	req.Header.Add("X-Forwarded-Proto", https)
 	req.Header.Add("Referer", "http://foo.fi")
 	req.AddCookie(&http.Cookie{Name: CsrfTokenKey, Value: "foobar"})
 	r.ServeHTTP(w, req)
@@ -114,7 +114,7 @@ func TestCSRFRefererHTTPSURL(t *testing.T) {
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("POST", "https://foo.fi/ping", nil)
 	req.Header.Add(Xcsrf, "foobar")
-	req.Header.Add("X-Forwarded-Proto", "https")
+	req.Header.Add("X-Forwarded-Proto", https)
 	req.Header.Add("Referer", "https://foo.fi")
 	req.AddCookie(&http.Cookie{Name: CsrfTokenKey, Value: "foobar"})
 	r.ServeHTTP(w, req)
@@ -127,7 +127,7 @@ func TestCSRFDifferentDomainRefererHTTPSURL(t *testing.T) {
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("POST", "https://foo.fi/ping", nil)
 	req.Header.Add(Xcsrf, "foobar")
-	req.Header.Add("X-Forwarded-Proto", "https")
+	req.Header.Add("X-Forwarded-Proto", https)
 	req.Header.Add("Referer", "https://foo2.fi")
 	req.AddCookie(&http.Cookie{Name: CsrfTokenKey, Value: "foobar"})
 	r.ServeHTTP(w, req)
@@ -140,7 +140,7 @@ func TestCSRFAllowPaths(t *testing.T) {
 	w := httptest.NewRecorder()
 	req, _ := http.NewRequest("POST", "https://foo.fi/pingpong", nil)
 	req.Header.Add(Xcsrf, "foobar")
-	req.Header.Add("X-Forwarded-Proto", "https")
+	req.Header.Add("X-Forwarded-Proto", https)
 	req.Header.Add("Referer", "https://foo2.fi")
 	req.AddCookie(&http.Cookie{Name: CsrfTokenKey, Value: "foobar"})
 	r.ServeHTTP(w, req)

diff --git a/utils.go b/utils.go
@@ -64,13 +64,13 @@ func RandomToken() (string, error) {
 // routed through a reverse proxy with SSL termination.
 func IsHTTPS(r *http.Request) bool {
 	switch {
-	case r.URL.Scheme == "https":
+	case r.URL.Scheme == https:
 		return true
 	case r.TLS != nil:
 		return true
-	case strings.HasPrefix(r.Proto, "HTTPS"):
+	case strings.HasPrefix(strings.ToLower(r.Proto), https):
 		return true
-	case r.Header.Get("X-Forwarded-Proto") == "https":
+	case r.Header.Get("X-Forwarded-Proto") == https:
 		return true
 	default:
 		return false