csrf

assets/state.js

@@ -93,6 +93,7 @@
         const formData = new FormData();
         formData.append('state', new Blob([state]));
         formData.append('screenshot', new Blob([screenshot]));
+        formData.append('_playtime_csrf', window._csrf);
 
         try {
             const url = `/games/save-states/${GameId}/upload`;

templates/game_delete.twig

@@ -15,6 +15,7 @@
     <hr>
 
     <form action="/games/delete/{{ game.Id }}" method="post" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         <div class="text-end mb-3">
             <button type="submit" class="btn btn-danger">Delete game</button>
         </div>

templates/game_edit.twig

@@ -10,6 +10,7 @@
     <hr>
 
     <form method="post" action="/games/edit/{{ game.Id }}" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         {% include "includes/form_game.twig" %}
     </form>
 

templates/game_emulation_settings.twig

@@ -11,6 +11,7 @@
     <hr>
 
     <form action="/games/emulation-settings/{{ game.Id }}" method="post" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         {% include "includes/form_platform_settings.twig" %}
         <hr>
         <div class="mb-3 text-end">

templates/games.twig

@@ -70,6 +70,7 @@
     {% endif %}
 
     <form id="upload" action="/games/upload" method="post" enctype="multipart/form-data" class="d-none">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         <input type="file" id="games" name="games" multiple>
     </form>
 

templates/includes/form_user.twig

@@ -19,14 +19,14 @@
 {% endif %}
 
 <div class="mb-3">
-    <div class="form-check">
+    <div class="form-check form-switch">
         <input type="checkbox" id="admin" name="admin" value="1" class="form-check-input" {% if user_control.Admin %}checked{% endif %}>
         <label for="admin">Admin</label>
     </div>
 </div>
 
 <div class="mb-3">
-    <div class="form-check">
+    <div class="form-check form-switch">
         <input type="checkbox" id="active" name="active" value="1" class="form-check-input" {% if user_control.Active %}checked{% endif %}>
         <label for="active">Active</label>
     </div>

templates/login.twig

@@ -13,6 +13,7 @@
                     <div class="alert alert-danger">{{error}}</div>
                 {% endif %}
                 <form method="post" action="/login" enctype="application/x-www-form-urlencoded">
+                    <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
                     <div class="form-floating mb-3">
                         <input type="text" id="login" name="login" class="form-control" value="{{login}}" placeholder="Login" required>
                         <label for="login">Login</label>

templates/play.twig

@@ -76,6 +76,8 @@
     {% if save_state.StateFileDownloadLink %}
         EJS_loadStateURL = '{{ save_state.StateFileDownloadLink }}';
     {% endif %}
+
+    _csrf = '{{ _csrf_token }}';
 </script>
 
 {% include "includes/play_controls.twig" %}

templates/profile.twig

@@ -16,6 +16,7 @@
     {% endif %}
 
     <form method="post" action="/profile" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         <div class="form-floating mb-3">
             <input type="password" id="password" name="password" class="form-control" value="" placeholder="Current password" required>
             <label for="password">Current password</label>

templates/save_state_delete.twig

@@ -16,6 +16,7 @@
     <hr>
 
     <form method="post" action="/games/save-states/{{ game.Id }}/delete/{{ state.Id }}" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         <div class="text-end mb-3">
             <button type="submit" class="btn btn-danger">Delete save state</button>
         </div>

templates/settings.twig

@@ -15,6 +15,7 @@
     {% endif %}
 
     <form action="/settings" method="post" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         {% include "includes/form_settings.twig" %}
         <div class="mb-3 text-end">
             <button type="submit" class="btn btn-primary">Save</button>

templates/settings_platform.twig

@@ -14,6 +14,7 @@
     <hr>
 
     <form action="/settings/{{ platform.Id }}" method="post" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         {% include "includes/form_platform_settings.twig" %}
         <hr>
         <div class="mb-3 text-end">

templates/upload_batch.twig

@@ -9,6 +9,7 @@
     <hr>
 
     <form action="/games/upload-batch/{{ upload_batch.Id }}" method="post" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         <div class="list-group list-group-hover">
             {% for game in games %}
                 <div class="list-group-item">

templates/user_delete.twig

@@ -15,6 +15,7 @@
     <hr>
 
     <form method="post" action="/users/delete/{{ user_control.Id }}" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         <div class="text-end mb-3">
             <button type="submit" class="btn btn-danger">Delete user</button>
         </div>

templates/user_edit.twig

@@ -10,6 +10,7 @@
     <hr>
 
     <form method="post" action="/users/edit/{{ user_control.Id }}" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         {% include "includes/form_user.twig" with mode="edit" %}<hr>
         <hr>
         <div class="mb-3 text-end">

templates/user_new.twig

@@ -10,6 +10,7 @@
     <hr>
 
     <form method="post" action="/users/new" enctype="application/x-www-form-urlencoded">
+        <input type="hidden" name="_playtime_csrf" value="{{ _csrf_token }}">
         {% include "includes/form_user.twig" with mode="create" %}
         <hr>
         <div class="mb-3 text-end">

web/handlers_auth.go

@@ -19,7 +19,9 @@ func (s *Server) loginForm(c echo.Context) error {
 		return c.Redirect(http.StatusFound, "/")
 	}
 
-	return c.Render(http.StatusOK, "login", pongo2.Context{})
+	return c.Render(http.StatusOK, "login", pongo2.Context{
+		"_csrf_token": c.Get("csrf"),
+	})
 }
 
 func (s *Server) loginSubmit(c echo.Context) error {

web/handlers_game.go

@@ -19,6 +19,7 @@ func (s *Server) games(c echo.Context) error {
 	}
 
 	return c.Render(http.StatusOK, "games", pongo2.Context{
+		"_csrf_token":       c.Get("csrf"),
 		"user":              context.user,
 		"games_by_platform": s.groupGamesByPlatform(games),
 		"netplay_enabled":   s.config.NetplayEnabled,
@@ -85,6 +86,7 @@ func (s *Server) gameUploadBatchForm(c echo.Context) error {
 	}
 
 	return c.Render(http.StatusOK, "upload_batch", pongo2.Context{
+		"_csrf_token":  c.Get("csrf"),
 		"user":         context.user,
 		"upload_batch": context.uploadBatch,
 		"games":        guessGameProperties(games),
@@ -117,6 +119,7 @@ func (s *Server) gameEditForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 
 	return c.Render(http.StatusOK, "game_edit", pongo2.Context{
+		"_csrf_token":     c.Get("csrf"),
 		"user":            context.user,
 		"game":            context.game,
 		"platforms":       sortedPlatforms(),
@@ -155,6 +158,7 @@ func (s *Server) gameEmulationSettingsForm(c echo.Context) error {
 	platform := context.game.Platform
 
 	return c.Render(http.StatusOK, "game_emulation_settings", pongo2.Context{
+		"_csrf_token":          c.Get("csrf"),
 		"user":                 context.user,
 		"game":                 context.game,
 		"settings":             context.game.EmulatorSettings,
@@ -191,8 +195,9 @@ func (s *Server) gameDeleteForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 
 	return c.Render(http.StatusOK, "game_delete", pongo2.Context{
-		"user": context.user,
-		"game": context.game,
+		"_csrf_token": c.Get("csrf"),
+		"user":        context.user,
+		"game":        context.game,
 	})
 }
 

web/handlers_play.go

@@ -58,6 +58,7 @@ func (s *Server) play(c echo.Context) error {
 	c.Response().Header().Add("Cross-Origin-Embedder-Policy", "require-corp")
 
 	return c.Render(http.StatusOK, "play", pongo2.Context{
+		"_csrf_token":           c.Get("csrf"),
 		"user":                  context.user,
 		"game":                  game,
 		"settings":              settings,

web/handlers_profile.go

@@ -13,8 +13,9 @@ func (s *Server) profileForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 
 	return c.Render(http.StatusOK, "profile", pongo2.Context{
-		"user": context.user,
-		"done": c.QueryParam("done"),
+		"_csrf_token": c.Get("csrf"),
+		"user":        context.user,
+		"done":        c.QueryParam("done"),
 	})
 }
 

web/handlers_save_state.go

@@ -72,9 +72,10 @@ func (s *Server) saveStateDeleteForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 
 	return c.Render(http.StatusOK, "save_state_delete", pongo2.Context{
-		"user":  context.user,
-		"game":  context.game,
-		"state": context.saveState,
+		"_csrf_token": c.Get("csrf"),
+		"user":        context.user,
+		"game":        context.game,
+		"state":       context.saveState,
 	})
 }
 

web/handlers_settings.go

@@ -15,11 +15,12 @@ func (s *Server) settingsGeneralForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 
 	return c.Render(http.StatusOK, "settings", pongo2.Context{
-		"user":      context.user,
-		"settings":  context.settings,
-		"done":      c.QueryParam("done"),
-		"languages": storage.Languages,
-		"platforms": sortedPlatforms(),
+		"_csrf_token": c.Get("csrf"),
+		"user":        context.user,
+		"settings":    context.settings,
+		"done":        c.QueryParam("done"),
+		"languages":   storage.Languages,
+		"platforms":   sortedPlatforms(),
 	})
 }
 
@@ -48,6 +49,7 @@ func (s *Server) settingsByPlatformForm(c echo.Context) error {
 	}
 
 	return c.Render(http.StatusOK, "settings_platform", pongo2.Context{
+		"_csrf_token":          c.Get("csrf"),
 		"user":                 context.user,
 		"settings":             platformSettings,
 		"shaders":              storage.Shaders,

web/handlers_user.go

@@ -28,7 +28,8 @@ func (s *Server) users(c echo.Context) error {
 func (s *Server) userNewForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 	return c.Render(http.StatusOK, "user_new", pongo2.Context{
-		"user": context.user,
+		"_csrf_token": c.Get("csrf"),
+		"user":        context.user,
 	})
 }
 
@@ -64,6 +65,7 @@ func (s *Server) userNewSubmit(c echo.Context) error {
 func (s *Server) userEditForm(c echo.Context) error {
 	context := c.(*PlaytimeContext)
 	return c.Render(http.StatusOK, "user_edit", pongo2.Context{
+		"_csrf_token":  c.Get("csrf"),
 		"user":         context.user,
 		"user_control": context.userControl,
 	})
@@ -115,6 +117,7 @@ func (s *Server) userDeleteForm(c echo.Context) error {
 	}
 
 	return c.Render(http.StatusOK, "user_delete", pongo2.Context{
+		"_csrf_token":  c.Get("csrf"),
 		"user":         context.user,
 		"user_control": context.userControl,
 	})

web/main.go

@@ -81,6 +81,11 @@ func New(config *Configuration, storage *storage.Storage) *Server {
 		heartbeatTicker: time.NewTicker(HeartbeatInterval),
 	}
 
+	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup: "form:_playtime_csrf",
+		CookiePath:  "/",
+		CookieName:  "_playtime_csrf",
+	}))
 	e.Use(s.contextCustomizationMiddleware)
 
 	e.GET("/", s.index)