feat(security): #286 anonymous sign in for csrf token on login form

service/auth.go

@@ -62,6 +62,7 @@ type Auth interface {
 
 	SignIn(email string, password string) (*Session, error)
 	SignInSession(sessionId string) (*Session, error)
+	SignInAnonymous() (*Session, error)
 	SignOut(sessionId string) error
 
 	DeleteAccount(user *User) error
@@ -142,6 +143,15 @@ func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
 	return session, nil
 }
 
+func (service AuthImpl) SignInAnonymous() (*Session, error) {
+	sessionDb, err := service.createSession(uuid.Nil)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	return NewSession(sessionDb, nil), nil
+}
+
 func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
 	sessionId, err := service.random.String(32)
 	if err != nil {
@@ -411,6 +421,10 @@ func (service AuthImpl) IsCsrfTokenValid(tokenStr string, sessionId string) bool
 }
 
 func (service AuthImpl) GetCsrfToken(session *Session) (string, error) {
+	if session == nil {
+		return "", types.ErrInternal
+	}
+
 	tokens, _ := service.db.GetTokensBySessionIdAndType(session.Id, db.TokenTypeCsrf)
 
 	if len(tokens) > 0 {