enable csrf

bueti · Nov 12, 2023 · 889cb16 · 889cb16
1 parent cb815c7
commit 889cb16
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 2 deletions.
diff --git a/cmd/api/helpers.go b/cmd/api/helpers.go
@@ -4,6 +4,7 @@ import (
 	"time"
 
 	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
 )
 
 func (app *application) isAuthenticated(c echo.Context) bool {
@@ -16,5 +17,6 @@ func (app *application) newTemplateData(c echo.Context) *templateData {
 		Flash:           app.sessionManager.PopString(c.Request().Context(), "flash"),
 		FlashError:      app.sessionManager.PopString(c.Request().Context(), "flash_error"),
 		IsAuthenticated: app.isAuthenticated(c),
+		CSRFToken:       c.Get(middleware.DefaultCSRFConfig.ContextKey).(string),
 	}
 }
diff --git a/cmd/api/router.go b/cmd/api/router.go
@@ -24,6 +24,9 @@ func (app *application) registerMiddleware() {
 	app.echo.Use(middleware.Recover())
 	app.echo.Use(middleware.Gzip())
 	app.echo.Use(middleware.CORS())
+	app.echo.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup: "form:csrf_token",
+	}))
 	app.echo.Use(middleware.Secure())
 	app.echo.Use(middleware.BodyLimit("1M"))
 	app.echo.Use(middleware.RequestID())

diff --git a/cmd/api/user.go b/cmd/api/user.go
@@ -79,7 +79,7 @@ func (app *application) handleFormSignup(c echo.Context) error {
 		}
 	}()
 
-	app.sessionManager.Put(c.Request().Context(), "flash", "Your signup was successful. Please log in.")
+	app.sessionManager.Put(c.Request().Context(), "flash", "Your signup was successful. Please check your mailbox for the account activation link.")
 	return c.Redirect(http.StatusSeeOther, "/login")
 }
 
@@ -228,7 +228,7 @@ func (app *application) listUsersHandler(c echo.Context) error {
 
 // loginHandler handles the display of the login form.
 func (app *application) loginHandler(c echo.Context) error {
-	return c.Render(http.StatusOK, "login.tmpl.html", nil)
+	return c.Render(http.StatusOK, "login.tmpl.html", app.newTemplateData(c))
 }
 
 // logoutHandler handles the logout of a user.

diff --git a/ui/html/pages/create_url.tmpl.html b/ui/html/pages/create_url.tmpl.html
@@ -5,6 +5,7 @@
 <h2 class="text-2xl font-bold text-gray-900">Create URL</h2>
 <p class="mt-4 text-gray-600">Please enter your information below to create a new URL.</p>
 <form class="mt-8" action="/urls" method="post">
+    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
     <div class="flex flex-col">
         <label for="original" class="hidden">URL</label>
         <input type="url" name="original" id="original" placeholder="Long URL"

diff --git a/ui/html/pages/login.tmpl.html b/ui/html/pages/login.tmpl.html
@@ -5,6 +5,7 @@
 <h2 class="text-2xl font-bold text-gray-900">Login</h2>
 <p class="mt-4 text-gray-600">Please enter your information below to login.</p>
 <form class="mt-8" action="/login" method="post">
+    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
     <div class="flex flex-col">
         <label for="email" class="hidden">Email</label>
         <input type="email" name="email" id="email" placeholder="Email"

diff --git a/ui/html/pages/signup.tmpl.html b/ui/html/pages/signup.tmpl.html
@@ -4,6 +4,7 @@
 <h2 class="text-2xl font-bold text-gray-900">Sign Up</h2>
 <p class="mt-4 text-gray-600">Please enter your information below to sign up.</p>
 <form class="mt-8" action="/signup" method="post">
+    <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
     <div class="flex flex-col">
         <label for="name" class="hidden">Name</label>
         <input type="text" name="name" id="name" placeholder="Display Name"