feat(security): #286 anonymous sign in for csrf token on login form

2024-12-08 15:10:36 +01:00
parent 425a7cc989
commit c9e0188b60
3 changed files with 722 additions and 3 deletions
--- a/handler/middleware/cross_site_request_forgery.go
+++ b/handler/middleware/cross_site_request_forgery.go
@@ -22,9 +22,6 @@ func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *se
 	}
 }

-
-TODO: Create session for CSRF token
-
 func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
 	dataStr := string(data)
 	if strings.Contains(dataStr, "</form>") {
@@ -38,6 +35,10 @@ func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
 	return rr.ResponseWriter.Write([]byte(dataStr))
 }

+func (rr *csrfResponseWriter) WriteHeader(statusCode int) {
+	rr.ResponseWriter.WriteHeader(statusCode)
+}
+
 func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -56,6 +57,25 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 			}

+			if session == nil {
+				var err error
+				session, err = auth.SignInAnonymous()
+				if err != nil {
+					http.Error(w, "", http.StatusInternalServerError)
+					return
+				}
+			}
+			cookie := http.Cookie{
+				Name:     "id",
+				Value:    session.Id,
+				MaxAge:   60 * 60 * 8, // 8 hours
+				Secure:   true,
+				HttpOnly: true,
+				SameSite: http.SameSiteStrictMode,
+				Path:     "/",
+			}
+			http.SetCookie(w, &cookie)
+
 			responseWriter := newCsrfResponseWriter(w, auth, session)
 			next.ServeHTTP(responseWriter, r)
 		})