From 159638084e167047b86fd65382f50cd099d4eb48 Mon Sep 17 00:00:00 2001 From: Brian Picciano Date: Tue, 24 May 2022 17:27:03 -0600 Subject: Fix CSRF loading on static GET pages --- srv/src/http/api.go | 3 +++ srv/src/http/csrf.go | 19 +++++++++++++++++++ srv/src/http/tpl.go | 5 +++-- srv/src/http/tpl/assets.html | 2 ++ srv/src/http/tpl/edit-post.html | 2 ++ srv/src/http/tpl/load-csrf.html | 13 +++++++++++++ srv/src/http/tpl/posts.html | 3 ++- 7 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 srv/src/http/tpl/load-csrf.html (limited to 'srv/src') diff --git a/srv/src/http/api.go b/srv/src/http/api.go index 19a65d9..da54c9c 100644 --- a/srv/src/http/api.go +++ b/srv/src/http/api.go @@ -163,6 +163,9 @@ func (a *api) Shutdown(ctx context.Context) error { func (a *api) apiHandler() http.Handler { mux := http.NewServeMux() + + mux.Handle("/csrf", a.getCSRFTokenHandler()) + mux.Handle("/pow/challenge", a.newPowChallengeHandler()) mux.Handle("/pow/check", a.requirePowMiddleware( diff --git a/srv/src/http/csrf.go b/srv/src/http/csrf.go index 1c80dee..7a45269 100644 --- a/srv/src/http/csrf.go +++ b/srv/src/http/csrf.go @@ -57,3 +57,22 @@ func checkCSRFMiddleware(h http.Handler) http.Handler { h.ServeHTTP(rw, r) }) } + +func (a *api) getCSRFTokenHandler() http.Handler { + + return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { + + csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "") + + if err != nil { + apiutil.InternalServerError(rw, r, err) + return + } + + apiutil.JSONResult(rw, r, struct { + CSRFToken string + }{ + CSRFToken: csrfTok, + }) + }) +} diff --git a/srv/src/http/tpl.go b/srv/src/http/tpl.go index 5c235a1..8654569 100644 --- a/srv/src/http/tpl.go +++ b/srv/src/http/tpl.go @@ -100,6 +100,7 @@ func (a *api) mustParseTpl(name string) *template.Template { func (a *api) mustParseBasedTpl(name string) *template.Template { tpl := a.mustParseTpl(name) + tpl = template.Must(tpl.New("load-csrf.html").Parse(mustReadTplFile("load-csrf.html"))) tpl = template.Must(tpl.New("base.html").Parse(mustReadTplFile("base.html"))) return tpl } @@ -111,8 +112,8 @@ type tplData struct { func (t tplData) CSRFFormInput() template.HTML { return template.HTML(fmt.Sprintf( - ``, - csrfTokenFormName, t.CSRFToken, + ``, + csrfTokenFormName, )) } diff --git a/srv/src/http/tpl/assets.html b/srv/src/http/tpl/assets.html index aa5e422..86e0ba5 100644 --- a/srv/src/http/tpl/assets.html +++ b/srv/src/http/tpl/assets.html @@ -46,6 +46,8 @@ +{{ template "load-csrf.html" . }} + {{ end }} {{ template "base.html" . }} diff --git a/srv/src/http/tpl/edit-post.html b/srv/src/http/tpl/edit-post.html index 114369a..48af882 100644 --- a/srv/src/http/tpl/edit-post.html +++ b/srv/src/http/tpl/edit-post.html @@ -99,6 +99,8 @@ + {{ template "load-csrf.html" . }} + {{ end }} {{ template "base.html" . }} diff --git a/srv/src/http/tpl/load-csrf.html b/srv/src/http/tpl/load-csrf.html new file mode 100644 index 0000000..b0757f9 --- /dev/null +++ b/srv/src/http/tpl/load-csrf.html @@ -0,0 +1,13 @@ + + + diff --git a/srv/src/http/tpl/posts.html b/srv/src/http/tpl/posts.html index c3aad0c..0609ff6 100644 --- a/srv/src/http/tpl/posts.html +++ b/srv/src/http/tpl/posts.html @@ -20,7 +20,6 @@ {{ $csrfFormInput := .CSRFFormInput }} -

@@ -56,6 +55,8 @@ {{ template "posts-nextprev" . }} + {{ template "load-csrf.html" . }} + {{ end }} {{ template "base.html" . }} -- cgit v1.2.3