x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(auth): #331 add first session test
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 39s
Details

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-22 22:14:55 +01:00
parent ea653f0087
commit 0246ada70e
7 changed files with 55 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
handler/middleware/authenticate.go
View File

@@ -21,15 +21,23 @@ func Authenticate(service service.Auth) func(http.Handler) http.Handler {
sessionId := getSessionID(r)
session, user, _ := service.SignInSession(sessionId)
if session != nil {
// Always sign in anonymous
// This way, we can always generate csrf tokens
if session == nil {
session, err := service.SignInAnonymous()
if err != nil {
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
ctx = context.WithValue(ctx, UserKey, user)
ctx = context.WithValue(ctx, SessionKey, session)
next.ServeHTTP(w, r.WithContext(ctx))
} else {
next.ServeHTTP(w, r)
cookie := CreateSessionCookie(session.Id)
http.SetCookie(w, &cookie)
}
ctx = context.WithValue(ctx, UserKey, user)
ctx = context.WithValue(ctx, SessionKey, session)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}

9
handler/middleware/cross_site_request_forgery.go
View File

@@ -62,15 +62,6 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
}
}
// Always sign in anonymous
// This way, there is no way to forget creating a csrf token
if session == nil {
session, _ = auth.SignInAnonymous()
cookie := CreateSessionCookie(session.Id)
http.SetCookie(w, &cookie)
}
responseWriter := newCsrfResponseWriter(w, auth, session)
next.ServeHTTP(responseWriter, r)
})

2
handler/middleware/security_headers.go
View File

@@ -22,7 +22,7 @@ func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Han
"form-action 'self'; "+
"frame-ancestors 'none'; ",
)
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
w.Header().Set("Cross-Origin-Resource-Policy", "same-site") // same-site, as same origin prohibits umami
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
w.Header().Set("Permissions-Policy", "geolocation=(), camera=(), microphone=(), interest-cohort=()")