feat(security): #286 use csrf token for delete request

2024-12-11 15:47:29 +01:00
parent 8cf2210aaf
commit 12d7c13b02
4 changed files with 82 additions and 87 deletions
--- a/handler/auth.go
+++ b/handler/auth.go
@@ -86,16 +86,7 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
 				return nil, err
 			}

-			cookie := http.Cookie{
-				Name:     "id",
-				Value:    session.Id,
-				MaxAge:   60 * 60 * 8, // 8 hours
-				Secure:   true,
-				HttpOnly: true,
-				SameSite: http.SameSiteStrictMode,
-				Path:     "/",
-			}
-
+			cookie := middleware.CreateSessionCookie(session.Id)
 			http.SetCookie(w, &cookie)

 			return session.User, nil
--- a/handler/middleware/cross_site_request_forgery.go
+++ b/handler/middleware/cross_site_request_forgery.go
@@ -30,6 +30,7 @@ func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
 		if err == nil {
 			csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
 			dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
+			dataStr = strings.ReplaceAll(dataStr, "CSRF_TOKEN", csrfToken)
 		}
 	}

@@ -52,30 +53,21 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				r.Method == http.MethodPatch {

 				csrfToken := r.FormValue("csrf-token")
+				if csrfToken == "" {
+					csrfToken = r.Header.Get("csrf-token")
+				}
 				if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
 					http.Error(w, "", http.StatusForbidden)
 					return
 				}
 			}

-			if session == nil {
-				var err error
-				session, err = auth.SignInAnonymous()
-				if err != nil {
-					http.Error(w, "", http.StatusInternalServerError)
-					return
-				}
-			}
-			cookie := http.Cookie{
-				Name:     "id",
-				Value:    session.Id,
-				MaxAge:   60 * 60 * 8, // 8 hours
-				Secure:   true,
-				HttpOnly: true,
-				SameSite: http.SameSiteStrictMode,
-				Path:     "/",
-			}
+			if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
+				session, _ = auth.SignInAnonymous()
+
+				cookie := CreateSessionCookie(session.Id)
 				http.SetCookie(w, &cookie)
+			}

 			responseWriter := newCsrfResponseWriter(w, auth, session)
 			next.ServeHTTP(responseWriter, r)
--- a/handler/middleware/default.go
+++ b/handler/middleware/default.go
@@ -0,0 +1,15 @@
+package middleware
+
+import "net/http"
+
+func CreateSessionCookie(sessionId string) http.Cookie {
+	return http.Cookie{
+		Name:     "id",
+		Value:    sessionId,
+		MaxAge:   60 * 60 * 8, // 8 hours
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+}
--- a/template/workout/workout.templ
+++ b/template/workout/workout.templ
@@ -2,12 +2,8 @@ package workout

 templ WorkoutComp(currentDate string) {
 <main class="mx-2">
-		<form
-			class="max-w-xl mx-auto flex flex-col gap-4 justify-center mt-10"
-			hx-post="/api/workout"
-			hx-target="#workout-placeholder"
-			hx-swap="outerHTML"
-		>
+	<form class="max-w-xl mx-auto flex flex-col gap-4 justify-center mt-10" hx-post="/api/workout"
+		hx-target="#workout-placeholder" hx-swap="outerHTML">
 		<h2 class="text-4xl mb-8">Track your workout</h2>
 		<input id="date" type="date" class="input input-bordered" value={ currentDate } name="date" />
 		<select class="select select-bordered w-full" name="type">
@@ -64,7 +60,8 @@ templ WorkoutItemComp(w Workout, includePlaceholder bool) {
 	<th>{ w.Reps }</th>
 	<th>
 		<div class="tooltip" data-tip="Delete Entry">
-				<button hx-delete={ "api/workout/" + w.Id } hx-target="closest tr">
+			<button hx-headers='{"csrf-token": "CSRF_TOKEN"}' hx-delete={ "api/workout/" + w.Id } hx-target="closest tr"
+				type="submit">
 				Delete
 			</button>
 		</div>