x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

feat(security): #286 use csrf token for delete request
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 45s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 50s
Details

Browse Source
This commit was merged in pull request #304.
This commit is contained in:
Tim Wundenberg
2024-12-11 15:47:29 +01:00
parent 8cf2210aaf
commit 12d7c13b02
4 changed files with 82 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
handler/middleware/cross_site_request_forgery.go
View File

@@ -30,6 +30,7 @@ func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
if err == nil {
csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
dataStr = strings.ReplaceAll(dataStr, "CSRF_TOKEN", csrfToken)
}
}
@@ -52,30 +53,21 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
r.Method == http.MethodPatch {
csrfToken := r.FormValue("csrf-token")
if csrfToken == "" {
csrfToken = r.Header.Get("csrf-token")
}
if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
http.Error(w, "", http.StatusForbidden)
return
}
}
if session == nil {
var err error
session, err = auth.SignInAnonymous()
if err != nil {
http.Error(w, "", http.StatusInternalServerError)
return
}
if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
session, _ = auth.SignInAnonymous()
cookie := CreateSessionCookie(session.Id)
http.SetCookie(w, &cookie)
}
cookie := http.Cookie{
Name: "id",
Value: session.Id,
MaxAge: 60 * 60 * 8, // 8 hours
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Path: "/",
}
http.SetCookie(w, &cookie)
responseWriter := newCsrfResponseWriter(w, auth, session)
next.ServeHTTP(responseWriter, r)