agnes/s1llyw0rdz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add csrf

Browse source
This commit is contained in:
m15o 2021-12-22 12:04:24 +01:00
parent 4a9e788f29
commit ae3804bf04
18 changed files with 56 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
go.mod
View file

@ -5,6 +5,7 @@ go 1.16
require (
github.com/fogleman/gg v1.3.0
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
github.com/gorilla/csrf v1.7.1 // indirect
github.com/gorilla/mux v1.8.0
github.com/gorilla/sessions v1.2.1
github.com/kr/pretty v0.3.0 // indirect

4
go.sum
View file

@ -3,6 +3,8 @@ github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
github.com/gorilla/feeds v1.1.1 h1:HwKXxqzcRNg9to+BbvJog4+f3s/xzvtZXICcQGutYfY=
github.com/gorilla/feeds v1.1.1/go.mod h1:Nk0jZrvPFZX1OBe5NPiddPw7CfwF6Q9eqzaBbaightA=
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
@ -20,6 +22,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/lib/pq v1.10.4 h1:SO9z7FRPzA03QhHKJrH5BXA6HU1rS4V2nIVrrNC1iYk=
github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 h1:/pEO3GD/ABYAjuakUS6xSEmmlyVS4kxBNkeA9tLJiTI=

11
web/handler/html.go
View file

@ -19,6 +19,7 @@ var TplMap = map[string]string{
Are you sure you you want to delete the following status?
<p>{{ .status.Content }}</p>
<form action="/remove?id={{ .status.Id }}" method="post">
{{ .csrfField }}
<input type="hidden" name="id"/>
<input type="submit" value="Submit">
</form>
@ -48,6 +49,7 @@ var TplMap = map[string]string{
<p>{{ .flash }}</p>
{{ end }}
<form action="/add?silent=1" method="post" name="update-status">
{{ .csrfField }}
{{ template "status_form" .status }}
</form>
</main>
@ -143,6 +145,7 @@ var TplMap = map[string]string{
{{ end }}
{{ template "flash" .flash }}
<form action="/edit?id={{ .status.Id }}" method="post">
{{ .csrfField }}
{{ template "status_form" .status }}
</form>
{{ end }}`,
@ -154,7 +157,10 @@ var TplMap = map[string]string{
{{ if .form.Error }}
<p>{{ .form.Error }}</p>
{{ end }}
<form action="/add" method="post">{{ template "status_form" .status }}</form>
<form action="/add" method="post">
{{ .csrfField }}
{{ template "status_form" .status }}
</form>
<ul class="tools">
<li><a href="/about/status-updater">status updater</a> bookmarklet</li>
<li><a href="/current-status">status widget</a> for your homepage</li>
@ -217,6 +223,7 @@ var TplMap = map[string]string{
<p>{{ .form.Error }}</p>
{{ end }}
<form action="/check-login" method="post" class="auth-form">
{{ .csrfField }}
<div class="field">
<label for="name">Username</label>
<input type="text" id="name" name="name" autocomplete="off" required autofocus/>
@ -263,6 +270,7 @@ var TplMap = map[string]string{
<p>{{ .form.Error }}</p>
{{ end }}
<form action="/register" method="post" class="auth-form">
{{ .csrfField }}
<div class="field">
<label for="name">Username</label>
<input type="text" id="name" name="name" autocomplete="off" required maxlength="20" autofocus/>
@ -305,6 +313,7 @@ var TplMap = map[string]string{
{{ end }}
<p><a href="/manage">Manage statuses</a></p>
<form action="/settings-update" method="post">
{{ .csrfField }}
<div class="field">
<label for="homepage">Homepage</label>
<input type="text" name="homepage" id="homepage" value="{{ .User.Homepage }}" autocomplete="off"/>

1
web/handler/html/confirm_remove_status.html
View file

@ -3,6 +3,7 @@
Are you sure you you want to delete the following status?
<p>{{ .status.Content }}</p>
<form action="/remove?id={{ .status.Id }}" method="post">
{{ .csrfField }}
<input type="hidden" name="id"/>
<input type="submit" value="Submit">
</form>

1
web/handler/html/create_status.html
View file

@ -22,6 +22,7 @@
<p>{{ .flash }}</p>
{{ end }}
<form action="/add?silent=1" method="post" name="update-status">
{{ .csrfField }}
{{ template "status_form" .status }}
</form>
</main>

1
web/handler/html/edit_status.html
View file

@ -5,6 +5,7 @@
{{ end }}
{{ template "flash" .flash }}
<form action="/edit?id={{ .status.Id }}" method="post">
{{ .csrfField }}
{{ template "status_form" .status }}
</form>
{{ end }}

5
web/handler/html/index.html
View file

@ -6,7 +6,10 @@
{{ if .form.Error }}
<p>{{ .form.Error }}</p>
{{ end }}
<form action="/add" method="post">{{ template "status_form" .status }}</form>
<form action="/add" method="post">
{{ .csrfField }}
{{ template "status_form" .status }}
</form>
<ul class="tools">
<li><a href="/about/status-updater">status updater</a> bookmarklet</li>
<li><a href="/current-status">status widget</a> for your homepage</li>

1
web/handler/html/login.html
View file

@ -5,6 +5,7 @@
<p>{{ .form.Error }}</p>
{{ end }}
<form action="/check-login" method="post" class="auth-form">
{{ .csrfField }}
<div class="field">
<label for="name">Username</label>
<input type="text" id="name" name="name" autocomplete="off" required autofocus/>

1
web/handler/html/register.html
View file

@ -5,6 +5,7 @@
<p>{{ .form.Error }}</p>
{{ end }}
<form action="/register" method="post" class="auth-form">
{{ .csrfField }}
<div class="field">
<label for="name">Username</label>
<input type="text" id="name" name="name" autocomplete="off" required maxlength="20" autofocus/>

1
web/handler/html/settings.html
View file

@ -5,6 +5,7 @@
{{ end }}
<p><a href="/manage">Manage statuses</a></p>
<form action="/settings-update" method="post">
{{ .csrfField }}
<div class="field">
<label for="homepage">Homepage</label>
<input type="text" name="homepage" id="homepage" value="{{ .User.Homepage }}" autocomplete="off"/>

8
web/handler/index_show.go
View file

@ -1,6 +1,7 @@
package handler
import (
"github.com/gorilla/csrf"
"net/http"
"status/model"
)
@ -29,8 +30,9 @@ func (h *Handler) showIndexView(w http.ResponseWriter, r *http.Request) {
}
session.Save(r, w)
h.renderLayout(w, "index", map[string]interface{}{
"statuses": statuses,
"flash": flash,
"status": &model.Status{},
"statuses": statuses,
"flash": flash,
"status": &model.Status{},
csrf.TemplateTag: csrf.TemplateField(r),
}, user)
}

5
web/handler/login_show.go
View file

@ -1,9 +1,12 @@
package handler
import (
"github.com/gorilla/csrf"
"net/http"
)
func (h *Handler) showLoginView(w http.ResponseWriter, r *http.Request) {
h.renderLayout(w, "login", nil, "")
h.renderLayout(w, "login", map[string]interface{}{
csrf.TemplateTag: csrf.TemplateField(r),
}, "")
}

5
web/handler/register.go
View file

@ -3,6 +3,7 @@ package handler
import (
"bytes"
"errors"
"github.com/gorilla/csrf"
"html/template"
"log"
"net/http"
@ -22,7 +23,9 @@ func (h *Handler) handleRegister(w http.ResponseWriter, r *http.Request) {
func (h *Handler) showRegisterView(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "GET":
h.renderLayout(w, "register", nil, "")
h.renderLayout(w, "register", map[string]interface{}{
csrf.TemplateTag: csrf.TemplateField(r),
}, "")
}
}

10
web/handler/settings_show.go
View file

@ -1,6 +1,9 @@
package handler
import "net/http"
import (
"github.com/gorilla/csrf"
"net/http"
)
func (h *Handler) showSettingsView(w http.ResponseWriter, r *http.Request) {
protectClickJacking(w)
@ -25,7 +28,8 @@ func (h *Handler) showSettingsView(w http.ResponseWriter, r *http.Request) {
}
session.Save(r, w)
h.renderLayout(w, "settings", map[string]interface{}{
"flash": flash,
"User": user,
"flash": flash,
"User": user,
csrf.TemplateTag: csrf.TemplateField(r),
}, username)
}

3
web/handler/status_create.go
View file

@ -1,6 +1,7 @@
package handler
import (
"github.com/gorilla/csrf"
"net/http"
"status/model"
)
@ -12,5 +13,5 @@ func (h *Handler) showNewStatusView(w http.ResponseWriter, r *http.Request) {
unauthorized(w, r)
return
}
h.view("create_status").Execute(w, map[string]interface{}{"status": &model.Status{}})
h.view("create_status").Execute(w, map[string]interface{}{"status": &model.Status{}, csrf.TemplateTag: csrf.TemplateField(r)})
}

6
web/handler/status_edit.go
View file

@ -1,6 +1,7 @@
package handler
import (
"github.com/gorilla/csrf"
"github.com/gorilla/mux"
"net/http"
"strconv"
@ -50,7 +51,8 @@ func (h *Handler) showEditStatusView(w http.ResponseWriter, r *http.Request) {
}
session.Save(r, w)
h.renderLayout(w, "edit_status", map[string]interface{}{
"status": status,
"flash": flash,
"status": status,
"flash": flash,
csrf.TemplateTag: csrf.TemplateField(r),
}, user)
}

4
web/handler/status_remove.go
View file

@ -1,6 +1,7 @@
package handler
import (
"github.com/gorilla/csrf"
"net/http"
"strconv"
)
@ -29,7 +30,8 @@ func (h *Handler) handleRemoveStatus(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "GET":
h.renderLayout(w, "confirm_remove_status", map[string]interface{}{
"status": status,
"status": status,
csrf.TemplateTag: csrf.TemplateField(r),
}, user)
case "POST":
err = h.storage.DeleteStatus(status.Id, user)

27
web/web.go
View file

@ -2,6 +2,7 @@ package web
import (
"fmt"
"github.com/gorilla/csrf"
"log"
"net/http"
"status/config"
@ -10,16 +11,6 @@ import (
"status/web/session"
)
//func httpToHTTPSHandler() *http.ServeMux {
// handleRedirect := func(w http.ResponseWriter, r *http.Request) {
// newURI := "https://" + r.Host + r.URL.String()
// http.Redirect(w, r, newURI, http.StatusFound)
// }
// mux := &http.ServeMux{}
// mux.HandleFunc("/", handleRedirect)
// return mux
//}
func Serve(data *storage.Storage, cfg *config.Config) error {
var err error
sess := session.New(cfg.SessionKey, data)
@ -27,21 +18,7 @@ func Serve(data *storage.Storage, cfg *config.Config) error {
if err != nil {
log.Fatal(err)
}
//switch cfg.Env {
//case "PROD":
// go func() {
// fmt.Printf("Starting HTTP server on :443\n")
// err := http.ListenAndServeTLS(":443", cfg.CertFile, cfg.KeyFile, s)
// if err != nil {
// log.Fatalf("httpsSrv.ListendAndServeTLS() failed with %s", err)
// }
// }()
// fmt.Printf("Starting HTTP to HTTPS server on :80\n")
// err = http.ListenAndServe(":80", httpToHTTPSHandler())
// break
//default:
fmt.Printf("Starting HTTP server on port 8000\n")
err = http.ListenAndServe(":8000", s)
//}
err = http.ListenAndServe(":8000", csrf.Protect([]byte("32-byte-long-auth-key"))(s))
return err
}