chore: fix CSRF (#876)

usememos · Dec 29, 2022 · c9bb2b7 · c9bb2b7
1 parent 64e5c34
commit c9bb2b7
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/server/acl.go b/server/acl.go
@@ -27,6 +27,7 @@ func setUserSession(ctx echo.Context, user *api.User) error {
 		Path:     "/",
 		MaxAge:   3600 * 24 * 30,
 		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
 	}
 	sess.Values[userIDContextKey] = user.ID
 	err := sess.Save(ctx.Request(), ctx.Response())

diff --git a/server/server.go b/server/server.go
@@ -36,6 +36,10 @@ func NewServer(profile *profile.Profile) *Server {
 			`"status":${status},"error":"${error}"}` + "\n",
 	}))
 
+	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup: "cookie:_csrf",
+	}))
+
 	e.Use(middleware.CORS())
 
 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{