From 1a59a9e7202e84741d9d9f0959fc49afa1faff77 Mon Sep 17 00:00:00 2001 From: tamsin johnson Date: Wed, 7 Feb 2024 23:04:06 -0800 Subject: [PATCH] lets-go:11.7 CSRF --- snippetbox/cmd/web/helpers.go | 2 ++ snippetbox/cmd/web/middleware.go | 13 +++++++++++++ snippetbox/cmd/web/routes.go | 2 +- snippetbox/cmd/web/templates.go | 1 + snippetbox/go.mod | 1 + snippetbox/go.sum | 2 ++ snippetbox/ui/html/pages/create.tmpl | 1 + snippetbox/ui/html/pages/login.tmpl | 3 ++- snippetbox/ui/html/pages/signup.tmpl | 3 ++- snippetbox/ui/html/partials/nav.tmpl | 1 + 10 files changed, 26 insertions(+), 3 deletions(-) diff --git a/snippetbox/cmd/web/helpers.go b/snippetbox/cmd/web/helpers.go index 2572fff..5b3dcb2 100644 --- a/snippetbox/cmd/web/helpers.go +++ b/snippetbox/cmd/web/helpers.go @@ -10,6 +10,7 @@ import ( "time" "github.com/go-playground/form/v4" + "github.com/justinas/nosurf" ) // newTemplateData ... @@ -18,6 +19,7 @@ func (app *application) newTemplateData(r *http.Request) templateData { CurrentYear: time.Now().Year(), Flash: app.sessionManager.PopString(r.Context(), "flash"), IsAuthenticated: app.isAuthenticated(r), + CSRFToken: nosurf.Token(r), } } diff --git a/snippetbox/cmd/web/middleware.go b/snippetbox/cmd/web/middleware.go index 301025e..ddc8104 100644 --- a/snippetbox/cmd/web/middleware.go +++ b/snippetbox/cmd/web/middleware.go @@ -3,6 +3,8 @@ package main import ( "fmt" "net/http" + + "github.com/justinas/nosurf" ) // logRequest ... @@ -59,3 +61,14 @@ func (app *application) requireAuthentication(next http.Handler) http.Handler { next.ServeHTTP(w, r) }) } + +func noSurf(next http.Handler) http.Handler { + csrfHandler := nosurf.New(next) + csrfHandler.SetBaseCookie(http.Cookie{ + HttpOnly: true, + Path: "/", + Secure: true, + }) + + return csrfHandler +} diff --git a/snippetbox/cmd/web/routes.go b/snippetbox/cmd/web/routes.go index b25b31e..c06f233 100644 --- a/snippetbox/cmd/web/routes.go +++ b/snippetbox/cmd/web/routes.go @@ -23,7 +23,7 @@ func (app *application) routes() http.Handler { fileServer := http.FileServer(http.Dir("./ui/static")) router.Handler(http.MethodGet, "/static/*filepath", http.StripPrefix("/static", fileServer)) - dynamic := alice.New(app.sessionManager.LoadAndSave) + dynamic := alice.New(app.sessionManager.LoadAndSave, noSurf) router.Handler(http.MethodGet, "/", dynamic.ThenFunc(app.home)) router.Handler(http.MethodGet, "/snippet/view/:id", dynamic.ThenFunc(app.snippetView)) diff --git a/snippetbox/cmd/web/templates.go b/snippetbox/cmd/web/templates.go index d1c5a30..c366660 100644 --- a/snippetbox/cmd/web/templates.go +++ b/snippetbox/cmd/web/templates.go @@ -15,6 +15,7 @@ type templateData struct { Form any Flash string IsAuthenticated bool + CSRFToken string } // humanDate ... diff --git a/snippetbox/go.mod b/snippetbox/go.mod index b0f5f89..dab1f2b 100644 --- a/snippetbox/go.mod +++ b/snippetbox/go.mod @@ -9,5 +9,6 @@ require ( github.com/go-sql-driver/mysql v1.7.1 // indirect github.com/julienschmidt/httprouter v1.3.0 // indirect github.com/justinas/alice v1.2.0 // indirect + github.com/justinas/nosurf v1.1.1 // indirect golang.org/x/crypto v0.19.0 // indirect ) diff --git a/snippetbox/go.sum b/snippetbox/go.sum index 7fb4bff..4d4ecc8 100644 --- a/snippetbox/go.sum +++ b/snippetbox/go.sum @@ -11,5 +11,7 @@ github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4d github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo= github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA= +github.com/justinas/nosurf v1.1.1 h1:92Aw44hjSK4MxJeMSyDa7jwuI9GR2J/JCQiaKvXXSlk= +github.com/justinas/nosurf v1.1.1/go.mod h1:ALpWdSbuNGy2lZWtyXdjkYv4edL23oSEgfBT1gPJ5BQ= golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= diff --git a/snippetbox/ui/html/pages/create.tmpl b/snippetbox/ui/html/pages/create.tmpl index aaef646..cd3c805 100644 --- a/snippetbox/ui/html/pages/create.tmpl +++ b/snippetbox/ui/html/pages/create.tmpl @@ -2,6 +2,7 @@ {{define "main"}}
+
{{with .Form.FieldErrors.title}} diff --git a/snippetbox/ui/html/pages/login.tmpl b/snippetbox/ui/html/pages/login.tmpl index c66d36c..04f0b7a 100644 --- a/snippetbox/ui/html/pages/login.tmpl +++ b/snippetbox/ui/html/pages/login.tmpl @@ -1,7 +1,8 @@ {{define "title"}}Login{{end}} {{define "main"}} - + + {{range .Form.NonFieldErrors}}
{{.}}
{{end}} diff --git a/snippetbox/ui/html/pages/signup.tmpl b/snippetbox/ui/html/pages/signup.tmpl index 0943855..2e0d5da 100644 --- a/snippetbox/ui/html/pages/signup.tmpl +++ b/snippetbox/ui/html/pages/signup.tmpl @@ -1,7 +1,8 @@ {{define "title"}}User Signup{{end}} {{define "main"}} - + + {{with .Form.FieldErrors.username}} diff --git a/snippetbox/ui/html/partials/nav.tmpl b/snippetbox/ui/html/partials/nav.tmpl index b203562..572550e 100644 --- a/snippetbox/ui/html/partials/nav.tmpl +++ b/snippetbox/ui/html/partials/nav.tmpl @@ -9,6 +9,7 @@
{{if .IsAuthenticated}} + {{else}}