diff options
author | Brian Picciano <mediocregopher@gmail.com> | 2022-05-24 17:27:03 -0600 |
---|---|---|
committer | Brian Picciano <mediocregopher@gmail.com> | 2022-05-24 17:27:03 -0600 |
commit | 159638084e167047b86fd65382f50cd099d4eb48 (patch) | |
tree | d4653540894da749726f4f8be988fe6df8d195a7 | |
parent | 88ebaeda8f02e2c89dac44809fffb1f9ebb71bd0 (diff) |
Fix CSRF loading on static GET pages
-rw-r--r-- | srv/src/http/api.go | 3 | ||||
-rw-r--r-- | srv/src/http/csrf.go | 19 | ||||
-rw-r--r-- | srv/src/http/tpl.go | 5 | ||||
-rw-r--r-- | srv/src/http/tpl/assets.html | 2 | ||||
-rw-r--r-- | srv/src/http/tpl/edit-post.html | 2 | ||||
-rw-r--r-- | srv/src/http/tpl/load-csrf.html | 13 | ||||
-rw-r--r-- | srv/src/http/tpl/posts.html | 3 |
7 files changed, 44 insertions, 3 deletions
diff --git a/srv/src/http/api.go b/srv/src/http/api.go index 19a65d9..da54c9c 100644 --- a/srv/src/http/api.go +++ b/srv/src/http/api.go @@ -163,6 +163,9 @@ func (a *api) Shutdown(ctx context.Context) error { func (a *api) apiHandler() http.Handler { mux := http.NewServeMux() + + mux.Handle("/csrf", a.getCSRFTokenHandler()) + mux.Handle("/pow/challenge", a.newPowChallengeHandler()) mux.Handle("/pow/check", a.requirePowMiddleware( diff --git a/srv/src/http/csrf.go b/srv/src/http/csrf.go index 1c80dee..7a45269 100644 --- a/srv/src/http/csrf.go +++ b/srv/src/http/csrf.go @@ -57,3 +57,22 @@ func checkCSRFMiddleware(h http.Handler) http.Handler { h.ServeHTTP(rw, r) }) } + +func (a *api) getCSRFTokenHandler() http.Handler { + + return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { + + csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "") + + if err != nil { + apiutil.InternalServerError(rw, r, err) + return + } + + apiutil.JSONResult(rw, r, struct { + CSRFToken string + }{ + CSRFToken: csrfTok, + }) + }) +} diff --git a/srv/src/http/tpl.go b/srv/src/http/tpl.go index 5c235a1..8654569 100644 --- a/srv/src/http/tpl.go +++ b/srv/src/http/tpl.go @@ -100,6 +100,7 @@ func (a *api) mustParseTpl(name string) *template.Template { func (a *api) mustParseBasedTpl(name string) *template.Template { tpl := a.mustParseTpl(name) + tpl = template.Must(tpl.New("load-csrf.html").Parse(mustReadTplFile("load-csrf.html"))) tpl = template.Must(tpl.New("base.html").Parse(mustReadTplFile("base.html"))) return tpl } @@ -111,8 +112,8 @@ type tplData struct { func (t tplData) CSRFFormInput() template.HTML { return template.HTML(fmt.Sprintf( - `<input type="hidden" name="%s" value="%s" />`, - csrfTokenFormName, t.CSRFToken, + `<input type="hidden" name="%s" class="csrfHiddenInput" />`, + csrfTokenFormName, )) } diff --git a/srv/src/http/tpl/assets.html b/srv/src/http/tpl/assets.html index aa5e422..86e0ba5 100644 --- a/srv/src/http/tpl/assets.html +++ b/srv/src/http/tpl/assets.html @@ -46,6 +46,8 @@ </table> +{{ template "load-csrf.html" . }} + {{ end }} {{ template "base.html" . }} diff --git a/srv/src/http/tpl/edit-post.html b/srv/src/http/tpl/edit-post.html index 114369a..48af882 100644 --- a/srv/src/http/tpl/edit-post.html +++ b/srv/src/http/tpl/edit-post.html @@ -99,6 +99,8 @@ </form> + {{ template "load-csrf.html" . }} + {{ end }} {{ template "base.html" . }} diff --git a/srv/src/http/tpl/load-csrf.html b/srv/src/http/tpl/load-csrf.html new file mode 100644 index 0000000..b0757f9 --- /dev/null +++ b/srv/src/http/tpl/load-csrf.html @@ -0,0 +1,13 @@ +<script async type="module" src="{{ StaticURL "api.js" }}"></script> + +<script type="text/javascript"> + (async () => { + const api = await import("{{ StaticURL "api.js" }}"); + const res = await api.call("/api/csrf"); + + const els = document.getElementsByClassName("csrfHiddenInput"); + for (let i = 0; i < els.length; i++) { + els[i].value = res.CSRFToken; + } + })(); +</script> diff --git a/srv/src/http/tpl/posts.html b/srv/src/http/tpl/posts.html index c3aad0c..0609ff6 100644 --- a/srv/src/http/tpl/posts.html +++ b/srv/src/http/tpl/posts.html @@ -20,7 +20,6 @@ {{ $csrfFormInput := .CSRFFormInput }} - <p style="text-align: center;"> <a href="{{ BlogURL "posts/" }}?edit"> <button>New Post</button> @@ -56,6 +55,8 @@ {{ template "posts-nextprev" . }} + {{ template "load-csrf.html" . }} + {{ end }} {{ template "base.html" . }} |