paul/skeleton
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make CSRF customizable

Browse source
This commit is contained in:
paul 2019-08-22 00:49:23 +02:00
parent ac5f74988f
commit 8dbdc9500f
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
internal/web/handlers.go
View file

@ -8,9 +8,14 @@ import (
"github.com/gorilla/csrf" "github.com/gorilla/csrf"
) )
type Config struct {
CSRFSecret string `env:"CSRF_TOKEN"`
}
type Handlers struct { type Handlers struct {
*app.App *app.App
session *scs.Session session *scs.Session
Config *Config
} }
func NewHandlers(app *app.App) *Handlers { func NewHandlers(app *app.App) *Handlers {
@ -34,8 +39,12 @@ func (h *Handlers) commonRenderContext(r *http.Request) map[string]interface{} {
} }
func (h *Handlers) CSRF() func(http.Handler) http.Handler { func (h *Handlers) CSRF() func(http.Handler) http.Handler {
if h.Config.CSRFSecret == "" {
// TODO FIXME: generate random
h.Config.CSRFSecret = "12345678901234567890123456789012"
}
return csrf.Protect( return csrf.Protect(
[]byte("12345678901234567890123456789012"), []byte(h.Config.CSRFSecret),
csrf.FieldName("authenticity_token"), csrf.FieldName("authenticity_token"),
csrf.Secure(h.session.Cookie.Secure), csrf.Secure(h.session.Cookie.Secure),
) )