Issue 17 add csrf protection to middleware#20
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds CSRF protection to the application by implementing cross-origin request validation in production environments. The protection is layered with CORS configuration to ensure secure handling of cross-origin requests while allowing legitimate same-origin operations.
Key changes:
- Upgraded Go to version 1.25.0 to support CSRF protection features
- Implemented environment-aware CSRF protection that is active in production but permissive in development
- Added comprehensive test coverage for CSRF protection scenarios including origin validation, referer checking, and safe method handling
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| go.mod | Updated Go version to 1.25.0 and cleaned up unused dependencies |
| actions/csrf_test.go | Added comprehensive test suite covering CSRF protection scenarios including origin/referer validation and safe methods |
| actions/app.go | Integrated CSRF protection middleware with environment-aware configuration and updated CORS settings |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| req, err := http.NewRequest("POST", baseURL+"/users", body) | ||
| require.NoError(t, err) | ||
|
|
||
| req.Header.Set("Origin", conf.SiteURL) |
There was a problem hiding this comment.
Reference to undefined variable 'conf'. This should likely be 'fix.App.conf.SiteURL' to access the configuration from the test fixture.
| req, err := http.NewRequest("POST", baseURL+"/users", body) | ||
| require.NoError(t, err) | ||
|
|
||
| req.Header.Set("Referer", conf.SiteURL+"/users/new") |
There was a problem hiding this comment.
Reference to undefined variable 'conf'. This should likely be 'fix.App.conf.SiteURL' to access the configuration from the test fixture.
go.mod
Outdated
| go 1.24.0 | ||
|
|
||
| toolchain go1.24.1 | ||
| go 1.25.0 |
There was a problem hiding this comment.
Lets do 1.25.4, the latest
actions/csrf_test.go
Outdated
| func TestCSRFProtection_BlocksUntrustedOrigins(t *testing.T) { | ||
| fix := NewFixture(t) | ||
| defer fix.Cleanup() |
There was a problem hiding this comment.
Lets try to have it follow conventions used in our other tests. For example, the fixture is usually just called f. And for http requests use the helpers on f.Client if possible (I know for these tests since there are headers and such involved that may not be possible)
|
Hey @jonyen is this one good for more review? |
|
Sorry for the delay. This is good for more review and I've recorded a video demonstrating that it works: https://app.airtimetools.com/recorder/s/z_S4j6PdjpfdsIIVTePBY0?t=0 |
|
Great thanks man, sorry for the delay |
We enable CSRF protection for prod environments (not needed for dev). Added some tests.
Updated go to 1.25.0 which supports CSRF protection.
Full disclosure: this code is all generated with AI. I have reviewed the code and have tested it manually to ensure that CSRF is functional.