From fae7f809139d34df433acfc62a1ef5792beaf8f4 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 23 Mar 2026 16:20:26 +0100 Subject: [PATCH] Add CSRF protection for cookie-authenticated requests --- cmd/server/main.go | 5 ++ internal/api/middleware/csrf.go | 98 +++++++++++++++++++++++++++++++++ internal/auth/handler.go | 21 ++++--- internal/file/handlers.go | 4 +- internal/file/routes.go | 4 +- templates/admin.html | 13 ++++- templates/changePassword.html | 5 +- templates/login.html | 6 +- 8 files changed, 139 insertions(+), 17 deletions(-) create mode 100644 internal/api/middleware/csrf.go diff --git a/cmd/server/main.go b/cmd/server/main.go index a0e6ef8..c8cecbf 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -1,6 +1,7 @@ package main import ( + "ResendIt/internal/api/middleware" "ResendIt/internal/auth" "ResendIt/internal/db" "ResendIt/internal/file" @@ -38,6 +39,9 @@ func main() { r := gin.Default() + // CSRF: set a token cookie for browsers and enforce it on unsafe /api calls. + r.Use(middleware.EnsureCSRFCookie()) + r.MaxMultipartMemory = 10 << 30 r.SetFuncMap(template.FuncMap{ "add": func(a, b int) int { return a + b }, @@ -74,6 +78,7 @@ func main() { createAdminUser(userService) apiRoute := r.Group("/api") + apiRoute.Use(middleware.CSRFMiddleware()) auth.RegisterRoutes(apiRoute, authHandler) user.RegisterRoutes(apiRoute, userHandler) diff --git a/internal/api/middleware/csrf.go b/internal/api/middleware/csrf.go new file mode 100644 index 0000000..2128e8d --- /dev/null +++ b/internal/api/middleware/csrf.go @@ -0,0 +1,98 @@ +package middleware + +import ( + "crypto/rand" + "encoding/base64" + "net/http" + "os" + "strings" + + "github.com/gin-gonic/gin" +) + +func randomToken(n int) (string, error) { + b := make([]byte, n) + if _, err := rand.Read(b); err != nil { + return "", err + } + return base64.RawURLEncoding.EncodeToString(b), nil +} + +// EnsureCSRFCookie sets a csrf_token cookie if it's missing. +// +// Uses SameSite=Strict to reduce cross-site cookie sending. +// HttpOnly must be false so browser JS can read it and send it back in a header. +func EnsureCSRFCookie() gin.HandlerFunc { + return func(c *gin.Context) { + if tok, err := c.Cookie("csrf_token"); err != nil || tok == "" { + if tok, err := randomToken(32); err == nil { + secure := os.Getenv("USE_HTTPS") == "true" + http.SetCookie(c.Writer, &http.Cookie{ + Name: "csrf_token", + Value: tok, + Path: "/", + Secure: secure, + HttpOnly: false, + SameSite: http.SameSiteStrictMode, + }) + } + } + c.Next() + } +} + +// CSRFMiddleware enforces CSRF checks on unsafe methods for cookie-authenticated requests. +// +// - Skips safe methods (GET/HEAD/OPTIONS). +// - Skips requests using Authorization: Bearer (non-cookie API clients). +// - Enforces only when auth_token cookie is present (browser session). +// +// Validation uses the double-submit cookie pattern: +// cookie csrf_token must match X-CSRF-Token header OR _csrf form field. +func CSRFMiddleware() gin.HandlerFunc { + return func(c *gin.Context) { + m := c.Request.Method + if m == http.MethodGet || m == http.MethodHead || m == http.MethodOptions { + c.Next() + return + } + + if strings.HasPrefix(c.GetHeader("Authorization"), "Bearer ") { + c.Next() + return + } + + // Only enforce when cookie auth is in play + if _, err := c.Cookie("auth_token"); err != nil { + c.Next() + return + } + + // Extra hardening: basic Origin check when present. + if origin := c.GetHeader("Origin"); origin != "" { + host := c.Request.Host + if !strings.Contains(origin, host) { + c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "csrf origin blocked"}) + return + } + } + + cookieTok, err := c.Cookie("csrf_token") + if err != nil || cookieTok == "" { + c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "missing csrf cookie"}) + return + } + + reqTok := c.GetHeader("X-CSRF-Token") + if reqTok == "" { + reqTok = c.PostForm("_csrf") + } + + if reqTok == "" || reqTok != cookieTok { + c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "bad csrf token"}) + return + } + + c.Next() + } +} diff --git a/internal/auth/handler.go b/internal/auth/handler.go index cb0f055..d0cc1c8 100644 --- a/internal/auth/handler.go +++ b/internal/auth/handler.go @@ -1,6 +1,7 @@ package auth import ( + "net/http" "os" "github.com/gin-gonic/gin" @@ -49,15 +50,17 @@ func (h *Handler) Login(c *gin.Context) { isSecure := os.Getenv("USE_HTTPS") == "true" - c.SetCookie( - "auth_token", - token, - 3600*24, - "/", - os.Getenv("DOMAIN"), - isSecure, - true, // httpOnly (IMPORTANT) - ) + // Use http.SetCookie so we can set SameSite. + http.SetCookie(c.Writer, &http.Cookie{ + Name: "auth_token", + Value: token, + Path: "/", + Domain: os.Getenv("DOMAIN"), + MaxAge: 3600 * 24, + Secure: isSecure, + HttpOnly: true, + SameSite: http.SameSiteStrictMode, + }) c.JSON(200, gin.H{"token": token}) } diff --git a/internal/file/handlers.go b/internal/file/handlers.go index 3bba5b9..2580f47 100644 --- a/internal/file/handlers.go +++ b/internal/file/handlers.go @@ -168,7 +168,7 @@ func (h *Handler) AdminDelete(c *gin.Context) { return } - c.Redirect(301, "/admin") + c.Redirect(303, "/admin") } func (h *Handler) AdminForceDelete(c *gin.Context) { @@ -185,7 +185,7 @@ func (h *Handler) AdminForceDelete(c *gin.Context) { return } - c.Redirect(301, "/admin") + c.Redirect(303, "/admin") } func (h *Handler) Import(c *gin.Context) { diff --git a/internal/file/routes.go b/internal/file/routes.go index 8c2234e..48edcdb 100644 --- a/internal/file/routes.go +++ b/internal/file/routes.go @@ -24,8 +24,8 @@ func RegisterRoutes(r *gin.RouterGroup, h *Handler) { adminRoutes.GET("/download/:id", h.AdminGet) - adminRoutes.GET("/delete/:id", h.AdminDelete) - adminRoutes.GET("/delete/fr/:id", h.AdminForceDelete) + adminRoutes.POST("/delete/:id", h.AdminDelete) + adminRoutes.POST("/delete/fr/:id", h.AdminForceDelete) adminRoutes.POST("/import", h.Import) adminRoutes.GET("/export", h.Export) diff --git a/templates/admin.html b/templates/admin.html index 6a12f01..5df0540 100644 --- a/templates/admin.html +++ b/templates/admin.html @@ -150,11 +150,13 @@
{{if not .Deleted}} -
+ +
{{end}} -
+ +
@@ -202,6 +204,13 @@ currentForm = null; } + // Fill CSRF hidden inputs from cookie (double-submit pattern) + (function fillCSRF() { + const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)'); + const tok = m ? m.pop() : ''; + document.querySelectorAll('.csrf-field').forEach(el => el.value = tok); + })(); + document.getElementById('modal-confirm-btn').addEventListener('click', () => { if (currentForm) { currentForm.submit(); diff --git a/templates/changePassword.html b/templates/changePassword.html index 3bc0cdb..71a2831 100644 --- a/templates/changePassword.html +++ b/templates/changePassword.html @@ -258,9 +258,12 @@ } try { + const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)'); + const csrf = m ? m.pop() : ''; + const res = await fetch('/api/user/change-password', { method: 'POST', - headers: { 'Content-Type': 'application/json' }, + headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrf }, body: JSON.stringify({ old_password: current, new_password: nv diff --git a/templates/login.html b/templates/login.html index a9928ac..602e1fe 100644 --- a/templates/login.html +++ b/templates/login.html @@ -127,10 +127,14 @@ const password = document.getElementById("password").value; try { + const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)'); + const csrf = m ? m.pop() : ''; + const res = await fetch("/api/auth/login", { method: "POST", headers: { - "Content-Type": "application/json" + "Content-Type": "application/json", + "X-CSRF-Token": csrf }, body: JSON.stringify({ username: username,