summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrian Picciano <mediocregopher@gmail.com>2022-05-24 17:27:03 -0600
committerBrian Picciano <mediocregopher@gmail.com>2022-05-24 17:27:03 -0600
commit159638084e167047b86fd65382f50cd099d4eb48 (patch)
treed4653540894da749726f4f8be988fe6df8d195a7
parent88ebaeda8f02e2c89dac44809fffb1f9ebb71bd0 (diff)
Fix CSRF loading on static GET pages
-rw-r--r--srv/src/http/api.go3
-rw-r--r--srv/src/http/csrf.go19
-rw-r--r--srv/src/http/tpl.go5
-rw-r--r--srv/src/http/tpl/assets.html2
-rw-r--r--srv/src/http/tpl/edit-post.html2
-rw-r--r--srv/src/http/tpl/load-csrf.html13
-rw-r--r--srv/src/http/tpl/posts.html3
7 files changed, 44 insertions, 3 deletions
diff --git a/srv/src/http/api.go b/srv/src/http/api.go
index 19a65d9..da54c9c 100644
--- a/srv/src/http/api.go
+++ b/srv/src/http/api.go
@@ -163,6 +163,9 @@ func (a *api) Shutdown(ctx context.Context) error {
func (a *api) apiHandler() http.Handler {
mux := http.NewServeMux()
+
+ mux.Handle("/csrf", a.getCSRFTokenHandler())
+
mux.Handle("/pow/challenge", a.newPowChallengeHandler())
mux.Handle("/pow/check",
a.requirePowMiddleware(
diff --git a/srv/src/http/csrf.go b/srv/src/http/csrf.go
index 1c80dee..7a45269 100644
--- a/srv/src/http/csrf.go
+++ b/srv/src/http/csrf.go
@@ -57,3 +57,22 @@ func checkCSRFMiddleware(h http.Handler) http.Handler {
h.ServeHTTP(rw, r)
})
}
+
+func (a *api) getCSRFTokenHandler() http.Handler {
+
+ return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+
+ csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "")
+
+ if err != nil {
+ apiutil.InternalServerError(rw, r, err)
+ return
+ }
+
+ apiutil.JSONResult(rw, r, struct {
+ CSRFToken string
+ }{
+ CSRFToken: csrfTok,
+ })
+ })
+}
diff --git a/srv/src/http/tpl.go b/srv/src/http/tpl.go
index 5c235a1..8654569 100644
--- a/srv/src/http/tpl.go
+++ b/srv/src/http/tpl.go
@@ -100,6 +100,7 @@ func (a *api) mustParseTpl(name string) *template.Template {
func (a *api) mustParseBasedTpl(name string) *template.Template {
tpl := a.mustParseTpl(name)
+ tpl = template.Must(tpl.New("load-csrf.html").Parse(mustReadTplFile("load-csrf.html")))
tpl = template.Must(tpl.New("base.html").Parse(mustReadTplFile("base.html")))
return tpl
}
@@ -111,8 +112,8 @@ type tplData struct {
func (t tplData) CSRFFormInput() template.HTML {
return template.HTML(fmt.Sprintf(
- `<input type="hidden" name="%s" value="%s" />`,
- csrfTokenFormName, t.CSRFToken,
+ `<input type="hidden" name="%s" class="csrfHiddenInput" />`,
+ csrfTokenFormName,
))
}
diff --git a/srv/src/http/tpl/assets.html b/srv/src/http/tpl/assets.html
index aa5e422..86e0ba5 100644
--- a/srv/src/http/tpl/assets.html
+++ b/srv/src/http/tpl/assets.html
@@ -46,6 +46,8 @@
</table>
+{{ template "load-csrf.html" . }}
+
{{ end }}
{{ template "base.html" . }}
diff --git a/srv/src/http/tpl/edit-post.html b/srv/src/http/tpl/edit-post.html
index 114369a..48af882 100644
--- a/srv/src/http/tpl/edit-post.html
+++ b/srv/src/http/tpl/edit-post.html
@@ -99,6 +99,8 @@
</form>
+ {{ template "load-csrf.html" . }}
+
{{ end }}
{{ template "base.html" . }}
diff --git a/srv/src/http/tpl/load-csrf.html b/srv/src/http/tpl/load-csrf.html
new file mode 100644
index 0000000..b0757f9
--- /dev/null
+++ b/srv/src/http/tpl/load-csrf.html
@@ -0,0 +1,13 @@
+<script async type="module" src="{{ StaticURL "api.js" }}"></script>
+
+<script type="text/javascript">
+ (async () => {
+ const api = await import("{{ StaticURL "api.js" }}");
+ const res = await api.call("/api/csrf");
+
+ const els = document.getElementsByClassName("csrfHiddenInput");
+ for (let i = 0; i < els.length; i++) {
+ els[i].value = res.CSRFToken;
+ }
+ })();
+</script>
diff --git a/srv/src/http/tpl/posts.html b/srv/src/http/tpl/posts.html
index c3aad0c..0609ff6 100644
--- a/srv/src/http/tpl/posts.html
+++ b/srv/src/http/tpl/posts.html
@@ -20,7 +20,6 @@
{{ $csrfFormInput := .CSRFFormInput }}
-
<p style="text-align: center;">
<a href="{{ BlogURL "posts/" }}?edit">
<button>New Post</button>
@@ -56,6 +55,8 @@
{{ template "posts-nextprev" . }}
+ {{ template "load-csrf.html" . }}
+
{{ end }}
{{ template "base.html" . }}