feat(security): #286 anonymous sign in for csrf token on login form

handler/middleware/authenticate.go

@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"context"
+
 	"me-fit/service"
 
 	"net/http"
@@ -43,5 +44,5 @@ func getSessionID(r *http.Request) string {
 		return ""
 	}
 
-	return cookie.Name
+	return cookie.Value
 }

handler/middleware/cross_site_request_forgery.go

@@ -2,9 +2,10 @@ package middleware
 
 import (
 	"fmt"
-	"me-fit/service"
 	"strings"
 
+	"me-fit/service"
+
 	"net/http"
 )
 
@@ -22,9 +23,6 @@ func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *se
 	}
 }
 
-
-TODO: Create session for CSRF token
-
 func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
 	dataStr := string(data)
 	if strings.Contains(dataStr, "</form>") {
@@ -38,6 +36,10 @@ func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
 	return rr.ResponseWriter.Write([]byte(dataStr))
 }
 
+func (rr *csrfResponseWriter) WriteHeader(statusCode int) {
+	rr.ResponseWriter.WriteHeader(statusCode)
+}
+
 func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -56,6 +58,25 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 			}
 
+			if session == nil {
+				var err error
+				session, err = auth.SignInAnonymous()
+				if err != nil {
+					http.Error(w, "", http.StatusInternalServerError)
+					return
+				}
+			}
+			cookie := http.Cookie{
+				Name:     "id",
+				Value:    session.Id,
+				MaxAge:   60 * 60 * 8, // 8 hours
+				Secure:   true,
+				HttpOnly: true,
+				SameSite: http.SameSiteStrictMode,
+				Path:     "/",
+			}
+			http.SetCookie(w, &cookie)
+
 			responseWriter := newCsrfResponseWriter(w, auth, session)
 			next.ServeHTTP(responseWriter, r)
 		})