Refactor CSRF protection
This commit is contained in:
Tom Wiesing
parent
59b565ae19
commit
eb17dbe33f
8 changed files with 20 additions and 45 deletions
|
|
@ -7,7 +7,6 @@ import (
|
|||
"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
|
||||
"github.com/FAU-CDI/wisski-distillery/internal/dis/component/sql"
|
||||
"github.com/FAU-CDI/wisski-distillery/pkg/lazy"
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/sessions"
|
||||
"github.com/julienschmidt/httprouter"
|
||||
)
|
||||
|
|
@ -41,15 +40,3 @@ func (auth *Auth) HandleRoute(ctx context.Context, route string) (http.Handler,
|
|||
|
||||
return router, nil
|
||||
}
|
||||
|
||||
func (auth *Auth) CSRF() func(http.Handler) http.Handler {
|
||||
// setup the csrf handler (if needed)
|
||||
// TOOD: This should move to the server handler
|
||||
return auth.csrf.Get(func() func(http.Handler) http.Handler {
|
||||
var opts []csrf.Option
|
||||
if !auth.Config.HTTPSEnabled() {
|
||||
opts = append(opts, csrf.Secure(false))
|
||||
}
|
||||
return csrf.Protect(auth.Config.CSRFSecret(), opts...)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,8 +33,7 @@ func (panel *UserPanel) routePassword(ctx context.Context) http.Handler {
|
|||
{Name: "new2", Type: httpx.PasswordField, EmptyOnError: true, Label: "New Password (again)"},
|
||||
},
|
||||
FieldTemplate: httpx.PureCSSFieldTemplate,
|
||||
|
||||
CSRF: panel.Dependencies.Auth.CSRF(),
|
||||
CSRF: true,
|
||||
|
||||
RenderTemplate: passwordTemplate,
|
||||
RenderTemplateContext: panel.UserFormContext,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,7 @@ func (panel *UserPanel) routeTOTPEnable(ctx context.Context) http.Handler {
|
|||
{Name: "password", Type: httpx.PasswordField, EmptyOnError: true, Label: "Current Password"},
|
||||
},
|
||||
FieldTemplate: httpx.PureCSSFieldTemplate,
|
||||
|
||||
CSRF: panel.Dependencies.Auth.CSRF(),
|
||||
CSRF: true,
|
||||
|
||||
SkipForm: func(r *http.Request) (data struct{}, skip bool) {
|
||||
user, err := panel.Dependencies.Auth.UserOf(r)
|
||||
|
|
@ -81,8 +80,7 @@ func (panel *UserPanel) routeTOTPEnroll(ctx context.Context) http.Handler {
|
|||
{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Passcode"},
|
||||
},
|
||||
FieldTemplate: httpx.PureCSSFieldTemplate,
|
||||
|
||||
CSRF: panel.Dependencies.Auth.CSRF(),
|
||||
CSRF: true,
|
||||
|
||||
SkipForm: func(r *http.Request) (data struct{}, skip bool) {
|
||||
user, err := panel.Dependencies.Auth.UserOf(r)
|
||||
|
|
@ -152,8 +150,7 @@ func (panel *UserPanel) routeTOTPDisable(ctx context.Context) http.Handler {
|
|||
{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Current Passcode"},
|
||||
},
|
||||
FieldTemplate: httpx.PureCSSFieldTemplate,
|
||||
|
||||
CSRF: panel.Dependencies.Auth.CSRF(),
|
||||
CSRF: true,
|
||||
|
||||
SkipForm: func(r *http.Request) (data struct{}, skip bool) {
|
||||
user, err := panel.Dependencies.Auth.UserOf(r)
|
||||
|
|
|
|||
|
|
@ -121,8 +121,7 @@ func (auth *Auth) authLogin(ctx context.Context) http.Handler {
|
|||
{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Passcode (optional)"},
|
||||
},
|
||||
FieldTemplate: httpx.PureCSSFieldTemplate,
|
||||
|
||||
CSRF: auth.CSRF(),
|
||||
CSRF: true,
|
||||
|
||||
RenderForm: func(context httpx.FormContext, w http.ResponseWriter, r *http.Request) {
|
||||
if context.Err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue