Refactor CSRF protection

internal/dis/component/control/admin/admin.go

@@ -49,7 +49,6 @@ func (admin *Admin) HandleRoute(ctx context.Context, route string) (handler http
 			Handler:  admin.serveSocket,
 		}
 		handler = admin.Dependencies.Auth.Protect(socket, auth.Admin)
-		handler = admin.Dependencies.Auth.CSRF()(handler)
 	}
 
 	// handle everything

internal/dis/component/control/admin/users.go

@@ -64,7 +64,7 @@ func (admin *Admin) createUser(ctx context.Context) http.Handler {
 		},
 		FieldTemplate: httpx.PureCSSFieldTemplate,
 
-		CSRF: admin.Dependencies.Auth.CSRF(),
+		CSRF: true,
 
 		RenderTemplate: userCreateTemplate,
 

internal/dis/component/control/server.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"github.com/FAU-CDI/wisski-distillery/pkg/cancel"
+	"github.com/gorilla/csrf"
 	"github.com/rs/zerolog"
 )
 
@@ -29,7 +30,15 @@ func (control *Control) Server(ctx context.Context, progress io.Writer) (http.Ha
 		}
 	}
 
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	return func(handler http.HandlerFunc) http.Handler {
+		// setup a csrf protector for everything with POST
+		var opts []csrf.Option
+		if !control.Config.HTTPSEnabled() {
+			opts = append(opts, csrf.Secure(false))
+		}
+		opts = append(opts, csrf.SameSite(csrf.SameSiteStrictMode))
+		return csrf.Protect(control.Config.CSRFSecret(), opts...)(handler)
+	}(func(w http.ResponseWriter, r *http.Request) {
 		r = r.WithContext(cancel.ValuesOf(r.Context(), ctx))
 		mux.ServeHTTP(w, r)
 	}), nil