brammie15/ReSendit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: brammie15:csrf-tokens
Branches Tags
brammie15:master brammie15:important-tests brammie15:csrf-tokens
..
compare: brammie15:50fa00384254e57eb89a0ed59a8f86a8812f78e1
Branches Tags
brammie15:master brammie15:important-tests brammie15:csrf-tokens

1 Commits
csrf-token ... 50fa003842

Author SHA1 Message Date
root
50fa003842 Admin page: show actual file presence dot per row 2026-03-23 16:47:20 +01:00
9 changed files with 74 additions and 141 deletions
Expand all files Collapse all files

5
cmd/server/main.go
View File

@@ -1,7 +1,6 @@
package main
import (
"ResendIt/internal/api/middleware"
"ResendIt/internal/auth"
"ResendIt/internal/db"
"ResendIt/internal/file"
@@ -39,9 +38,6 @@ func main() {
r := gin.Default()
// CSRF: set a token cookie for browsers and enforce it on unsafe /api calls.
r.Use(middleware.EnsureCSRFCookie())
r.MaxMultipartMemory = 10 << 30
r.SetFuncMap(template.FuncMap{
"add": func(a, b int) int { return a + b },
@@ -78,7 +74,6 @@ func main() {
createAdminUser(userService)
apiRoute := r.Group("/api")
apiRoute.Use(middleware.CSRFMiddleware())
auth.RegisterRoutes(apiRoute, authHandler)
user.RegisterRoutes(apiRoute, userHandler)

98
internal/api/middleware/csrf.go
View File

@@ -1,98 +0,0 @@
package middleware
import (
"crypto/rand"
"encoding/base64"
"net/http"
"os"
"strings"
"github.com/gin-gonic/gin"
)
func randomToken(n int) (string, error) {
b := make([]byte, n)
if _, err := rand.Read(b); err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(b), nil
}
// EnsureCSRFCookie sets a csrf_token cookie if it's missing.
//
// Uses SameSite=Strict to reduce cross-site cookie sending.
// HttpOnly must be false so browser JS can read it and send it back in a header.
func EnsureCSRFCookie() gin.HandlerFunc {
return func(c *gin.Context) {
if tok, err := c.Cookie("csrf_token"); err != nil || tok == "" {
if tok, err := randomToken(32); err == nil {
secure := os.Getenv("USE_HTTPS") == "true"
http.SetCookie(c.Writer, &http.Cookie{
Name: "csrf_token",
Value: tok,
Path: "/",
Secure: secure,
HttpOnly: false,
SameSite: http.SameSiteStrictMode,
})
}
}
c.Next()
}
}
// CSRFMiddleware enforces CSRF checks on unsafe methods for cookie-authenticated requests.
//
// - Skips safe methods (GET/HEAD/OPTIONS).
// - Skips requests using Authorization: Bearer (non-cookie API clients).
// - Enforces only when auth_token cookie is present (browser session).
//
// Validation uses the double-submit cookie pattern:
// cookie csrf_token must match X-CSRF-Token header OR _csrf form field.
func CSRFMiddleware() gin.HandlerFunc {
return func(c *gin.Context) {
m := c.Request.Method
if m == http.MethodGet || m == http.MethodHead || m == http.MethodOptions {
c.Next()
return
}
if strings.HasPrefix(c.GetHeader("Authorization"), "Bearer ") {
c.Next()
return
}
// Only enforce when cookie auth is in play
if _, err := c.Cookie("auth_token"); err != nil {
c.Next()
return
}
// Extra hardening: basic Origin check when present.
if origin := c.GetHeader("Origin"); origin != "" {
host := c.Request.Host
if !strings.Contains(origin, host) {
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "csrf origin blocked"})
return
}
}
cookieTok, err := c.Cookie("csrf_token")
if err != nil || cookieTok == "" {
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "missing csrf cookie"})
return
}
reqTok := c.GetHeader("X-CSRF-Token")
if reqTok == "" {
reqTok = c.PostForm("_csrf")
}
if reqTok == "" || reqTok != cookieTok {
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "bad csrf token"})
return
}
c.Next()
}
}

21
internal/auth/handler.go
View File

@@ -1,7 +1,6 @@
package auth
import (
"net/http"
"os"
"github.com/gin-gonic/gin"
@@ -50,17 +49,15 @@ func (h *Handler) Login(c *gin.Context) {
isSecure := os.Getenv("USE_HTTPS") == "true"
// Use http.SetCookie so we can set SameSite.
http.SetCookie(c.Writer, &http.Cookie{
Name: "auth_token",
Value: token,
Path: "/",
Domain: os.Getenv("DOMAIN"),
MaxAge: 3600 * 24,
Secure: isSecure,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
})
c.SetCookie(
"auth_token",
token,
3600*24,
"/",
os.Getenv("DOMAIN"),
isSecure,
true, // httpOnly (IMPORTANT)
)
c.JSON(200, gin.H{"token": token})
}

4
internal/file/handlers.go
View File

@@ -168,7 +168,7 @@ func (h *Handler) AdminDelete(c *gin.Context) {
return
}
c.Redirect(303, "/admin")
c.Redirect(301, "/admin")
}
func (h *Handler) AdminForceDelete(c *gin.Context) {
@@ -185,7 +185,7 @@ func (h *Handler) AdminForceDelete(c *gin.Context) {
return
}
c.Redirect(303, "/admin")
c.Redirect(301, "/admin")
}
func (h *Handler) Import(c *gin.Context) {

4
internal/file/routes.go
View File

@@ -24,8 +24,8 @@ func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
adminRoutes.GET("/download/:id", h.AdminGet)
adminRoutes.POST("/delete/:id", h.AdminDelete)
adminRoutes.POST("/delete/fr/:id", h.AdminForceDelete)
adminRoutes.GET("/delete/:id", h.AdminDelete)
adminRoutes.GET("/delete/fr/:id", h.AdminForceDelete)
adminRoutes.POST("/import", h.Import)
adminRoutes.GET("/export", h.Export)

28
internal/web/handler.go
View File

@@ -2,6 +2,7 @@ package web
import (
"ResendIt/internal/file"
"os"
"strconv"
"github.com/gin-gonic/gin"
@@ -70,10 +71,35 @@ func (h *Handler) AdminPage(c *gin.Context) {
return
}
// Only check files on the current page.
// Status meanings:
// - green: file exists on disk
// - red: file missing
// - rainbow: stat error (something unexpected)
type AdminFileView struct {
file.FileRecord
ActualStatus string
}
adminFiles := make([]AdminFileView, 0, len(files))
for _, f := range files {
status := "red"
if f.Path != "" {
if _, err := os.Stat(f.Path); err == nil {
status = "green"
} else if os.IsNotExist(err) {
status = "red"
} else {
status = "rainbow"
}
}
adminFiles = append(adminFiles, AdminFileView{FileRecord: f, ActualStatus: status})
}
totalPages := (totalCount + limit - 1) / limit
c.HTML(200, "admin.html", gin.H{
"Files": files,
"Files": adminFiles,
"Page": page,
"TotalPages": totalPages,
})

44
templates/admin.html
View File

@@ -16,6 +16,24 @@
td { border: 1px solid #000; padding: 10px; font-size: 13px; font-weight: 500; }
tr:hover { background: #ffff00; }
/* Actual file status dot */
.dot { width: 12px; height: 12px; border: 2px solid #000; display: inline-block; }
.dot-green { background: #00ff00; }
.dot-red { background: #ff0000; }
.dot-rainbow {
animation: rainbow 0.8s linear infinite;
background: red;
}
@keyframes rainbow {
0% { background: #ff0000; }
16% { background: #ff9900; }
33% { background: #ffff00; }
50% { background: #00ff00; }
66% { background: #00ccff; }
83% { background: #9900ff; }
100% { background: #ff0000; }
}
/* Harsh Status Tags */
.status-tag { font-weight: 900; font-size: 11px; padding: 3px 6px; border: 2px solid #000; display: inline-block; text-transform: uppercase; }
.status-deleted { background: #000; color: #ff0000; }
@@ -109,12 +127,13 @@
<th>Hits</th>
<th>Burn</th>
<th>Status</th>
<th>Actual</th>
<th>System_Actions</th>
</tr>
</thead>
<tbody>
{{if not .Files}}
<tr><td colspan="7" class="text-center py-10 font-bold uppercase italic">Zero files in buffer</td></tr>
<tr><td colspan="8" class="text-center py-10 font-bold uppercase italic">Zero files in buffer</td></tr>
{{end}}
{{range .Files}}
<tr>
@@ -147,16 +166,24 @@
{{end}}
</td>
<td class="text-center">
{{if eq .ActualStatus "green"}}
<span class="dot dot-green" title="File exists"></span>
{{else if eq .ActualStatus "red"}}
<span class="dot dot-red" title="File missing"></span>
{{else}}
<span class="dot dot-rainbow" title="Stat error"></span>
{{end}}
</td>
<td>
<div class="btn-group">
{{if not .Deleted}}
<form action="/api/files/admin/delete/{{.ID}}" method="POST" onsubmit="return openConfirm(event, 'TERMINATE', 'Kill this file? It will be removed from active storage.')">
<input type="hidden" name="_csrf" class="csrf-field">
<form action="/api/files/admin/delete/{{.ID}}" method="GET" onsubmit="return openConfirm(event, 'TERMINATE', 'Kill this file? It will be removed from active storage.')">
<button type="submit" style="background: #ffcccc;">Terminate</button>
</form>
{{end}}
<form action="/api/files/admin/delete/fr/{{.ID}}" method="POST" onsubmit="return openConfirm(event, 'FULL_WIPE', 'Wiping file and purging record? This is a permanent database scrub.')">
<input type="hidden" name="_csrf" class="csrf-field">
<form action="/api/files/admin/delete/fr/{{.ID}}" method="GET" onsubmit="return openConfirm(event, 'FULL_WIPE', 'Wiping file and purging record? This is a permanent database scrub.')">
<button type="submit">Full_Wipe</button>
</form>
</div>
@@ -204,13 +231,6 @@
currentForm = null;
}
// Fill CSRF hidden inputs from cookie (double-submit pattern)
(function fillCSRF() {
const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
const tok = m ? m.pop() : '';
document.querySelectorAll('.csrf-field').forEach(el => el.value = tok);
})();
document.getElementById('modal-confirm-btn').addEventListener('click', () => {
if (currentForm) {
currentForm.submit();

5
templates/changePassword.html
View File

@@ -258,12 +258,9 @@
}
try {
const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
const csrf = m ? m.pop() : '';
const res = await fetch('/api/user/change-password', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrf },
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
old_password: current,
new_password: nv

6
templates/login.html
View File

@@ -127,14 +127,10 @@
const password = document.getElementById("password").value;
try {
const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
const csrf = m ? m.pop() : '';
const res = await fetch("/api/auth/login", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-CSRF-Token": csrf
"Content-Type": "application/json"
},
body: JSON.stringify({
username: username,