feat(security): #328 delete old sessions forgot password [tbs]

2024-12-18 22:48:54 +01:00
parent 2b46a00a49
commit 588f915c86
8 changed files with 103 additions and 61 deletions
--- a/handler/middleware/cross_site_request_forgery.go
+++ b/handler/middleware/cross_site_request_forgery.go
@@ -61,7 +61,9 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 			}

-			if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
+			// Always sign in anonymous
+			// This way, there is no way to forget creating a csrf token
+			if session == nil {
 				session, _ = auth.SignInAnonymous()

 				cookie := CreateSessionCookie(session.Id)