HomeLab/ForgeBucket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

phase 2 testing complete

Browse Source
This commit is contained in:
erangel1
2026-05-07 00:09:50 +02:00
parent 57991e5406
commit 5d8662595c
27 changed files with 1150 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/middleware/csrf.go
+66
View File
@@ -0,0 +1,66 @@
package middleware
import (
"crypto/rand"
"crypto/subtle"
"encoding/base64"
"net/http"
)
const csrfCookieName = "fb_csrf"
const csrfHeaderName = "X-CSRF-Token"
// NewCSRFToken generates a cryptographically random CSRF token, sets it as a
// non-HttpOnly cookie (so the SPA can read it), and returns the token value.
func NewCSRFToken(w http.ResponseWriter, secure bool) (string, error) {
b := make([]byte, 32)
if _, err := rand.Read(b); err != nil {
return "", err
}
token := base64.RawURLEncoding.EncodeToString(b)
http.SetCookie(w, &http.Cookie{
Name: csrfCookieName,
Value: token,
Path: "/",
HttpOnly: false, // must be readable by JS for the double-submit pattern
Secure: secure,
SameSite: http.SameSiteLaxMode,
})
return token, nil
}
// CSRF is a middleware that enforces the double-submit cookie pattern for all
// state-mutating requests (POST, PUT, PATCH, DELETE). Safe methods are passed
// through unchanged.
func CSRF(secure bool) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
// Safe method — no CSRF validation needed, just pass through.
next.ServeHTTP(w, r)
return
}
cookie, err := r.Cookie(csrfCookieName)
if err != nil || cookie.Value == "" {
http.Error(w, `{"error":"CSRF cookie missing"}`, http.StatusForbidden)
return
}
headerToken := r.Header.Get(csrfHeaderName)
if headerToken == "" {
http.Error(w, `{"error":"X-CSRF-Token header missing"}`, http.StatusForbidden)
return
}
// Constant-time compare prevents timing attacks.
if subtle.ConstantTimeCompare([]byte(cookie.Value), []byte(headerToken)) != 1 {
http.Error(w, `{"error":"CSRF validation failed"}`, http.StatusForbidden)
return
}
next.ServeHTTP(w, r)
})
}
}