x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

feat(security): #286 first try on csrf

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-06 22:42:23 +01:00
parent 04c6d0e71d
commit 425a7cc989
5 changed files with 52 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
handler/middleware/cross_site_request_forgery.go
View File

@@ -1,15 +1,48 @@
package middleware package middleware
import ( import (
"fmt"
"me-fit/service" "me-fit/service"
"strings"
"net/http" "net/http"
) )
func CrossSiteRequestForgery(auth *service.Auth) func(http.Handler) http.Handler { type csrfResponseWriter struct {
http.ResponseWriter
auth service.Auth
session *service.Session
}
func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *service.Session) *csrfResponseWriter {
return &csrfResponseWriter{
ResponseWriter: w,
auth: auth,
session: session,
}
}
TODO: Create session for CSRF token
func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
dataStr := string(data)
if strings.Contains(dataStr, "</form>") {
csrfToken, err := rr.auth.GetCsrfToken(rr.session)
if err == nil {
csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
}
}
return rr.ResponseWriter.Write([]byte(dataStr))
}
func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// session := r.Context().Value(SessionKey) session := GetSession(r)
if r.Method == http.MethodPost || if r.Method == http.MethodPost ||
r.Method == http.MethodPut || r.Method == http.MethodPut ||
@@ -17,14 +50,14 @@ func CrossSiteRequestForgery(auth *service.Auth) func(http.Handler) http.Handler
r.Method == http.MethodPatch { r.Method == http.MethodPatch {
csrfToken := r.FormValue("csrf-token") csrfToken := r.FormValue("csrf-token")
if csrfToken == "" { if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
http.Error(w, "", http.StatusForbidden) http.Error(w, "", http.StatusForbidden)
return return
} }
} }
next.ServeHTTP(w, r) responseWriter := newCsrfResponseWriter(w, auth, session)
next.ServeHTTP(responseWriter, r)
}) })
} }
} }

8
log/default.go
View File

@@ -45,6 +45,12 @@ func Info(message string, args ...interface{}) {
func format(message string, args []interface{}) string { func format(message string, args []interface{}) string {
var w strings.Builder var w strings.Builder
fmt.Fprintf(&w, message, args)
if len(args) > 0 {
fmt.Fprintf(&w, message, args...)
} else {
w.WriteString(message)
}
return w.String() return w.String()
} }

3
main.go
View File

@@ -77,7 +77,7 @@ func run(ctx context.Context, database *sql.DB, env func(string) string) {
} }
func startServer(s *http.Server) { func startServer(s *http.Server) {
log.Info("Starting server on %v", s.Addr) log.Info("Starting server on %q", s.Addr)
if err := s.ListenAndServe(); err != nil && err != http.ErrServerClosed { if err := s.ListenAndServe(); err != nil && err != http.ErrServerClosed {
log.Error("error listening and serving: %v", err) log.Error("error listening and serving: %v", err)
} }
@@ -130,6 +130,7 @@ func createHandler(d *sql.DB, serverSettings *types.Settings) http.Handler {
middleware.Log, middleware.Log,
middleware.ContentSecurityPolicy, middleware.ContentSecurityPolicy,
middleware.Cors(serverSettings), middleware.Cors(serverSettings),
middleware.CrossSiteRequestForgery(authService),
middleware.Corp, middleware.Corp,
middleware.Coop, middleware.Coop,
) )

6
service/auth.go
View File

@@ -71,7 +71,7 @@ type Auth interface {
SendForgotPasswordMail(email string) error SendForgotPasswordMail(email string) error
ForgotPassword(token string, newPass string) error ForgotPassword(token string, newPass string) error
IsCsrfTokenValid(tokenStr string, userId uuid.UUID) bool IsCsrfTokenValid(tokenStr string, sessionId string) bool
GetCsrfToken(session *Session) (string, error) GetCsrfToken(session *Session) (string, error)
} }
@@ -394,14 +394,14 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
return nil return nil
} }
func (service AuthImpl) IsCsrfTokenValid(tokenStr string, userId uuid.UUID) bool { func (service AuthImpl) IsCsrfTokenValid(tokenStr string, sessionId string) bool {
token, err := service.db.GetToken(tokenStr) token, err := service.db.GetToken(tokenStr)
if err != nil { if err != nil {
return false return false
} }
if token.Type != db.TokenTypeCsrf || if token.Type != db.TokenTypeCsrf ||
token.UserId != userId || token.SessionId != sessionId ||
token.ExpiresAt.Before(service.clock.Now()) { token.ExpiresAt.Before(service.clock.Now()) {
return false return false

4
types/server_settings.go → types/settings.go
View File

@@ -77,8 +77,8 @@ func NewSettingsFromEnv(env func(string) string) *Settings {
log.Fatal("SMTP and Prometheus must be enabled in production") log.Fatal("SMTP and Prometheus must be enabled in production")
} }
log.Info("BASE_URL is %v", settings.BaseUrl) log.Info("BASE_URL is %q", settings.BaseUrl)
log.Info("ENVIRONMENT is %v", settings.Environment) log.Info("ENVIRONMENT is %q", settings.Environment)
return settings return settings
} }