From 15ae483fadbd136acefcd602b2f2ac5a83165c73 Mon Sep 17 00:00:00 2001
From: Brian Picciano <mediocregopher@gmail.com>
Date: Sun, 29 Aug 2021 22:15:58 -0600
Subject: add CSRF checking

---
 srv/api/api.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'srv/api/api.go')

diff --git a/srv/api/api.go b/srv/api/api.go
index 39d73d9..bbb677a 100644
--- a/srv/api/api.go
+++ b/srv/api/api.go
@@ -142,6 +142,8 @@ func (a *api) handler() http.Handler {
 		staticHandler = httputil.NewSingleHostReverseProxy(a.params.StaticProxy)
 	}
 
+	staticHandler = setCSRFMiddleware(staticHandler)
+
 	// sugar
 	requirePow := func(h http.Handler) http.Handler {
 		return a.requirePowMiddleware(h)
@@ -163,7 +165,9 @@ func (a *api) handler() http.Handler {
 	apiMux.Handle("/mailinglist/finalize", a.mailingListFinalizeHandler())
 	apiMux.Handle("/mailinglist/unsubscribe", a.mailingListUnsubscribeHandler())
 
-	apiHandler := logMiddleware(a.params.Logger, apiMux)
+	var apiHandler http.Handler = apiMux
+	apiHandler = checkCSRFMiddleware(apiHandler)
+	apiHandler = logMiddleware(a.params.Logger, apiHandler)
 	apiHandler = annotateMiddleware(apiHandler)
 	apiHandler = addResponseHeaders(map[string]string{
 		"Cache-Control": "no-store, max-age=0",
-- 
cgit v1.2.3