CSRF protection added

osminogin · osminogin · commit 8f41d9758bc2 · 2020-08-04T13:32:18.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,13 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+### Added
+- CSRF protection for main form [@osminogin](https://github.com/osminogin)
+
+### Changed
+- Licensed under Apache v2 license [@osminogin](https://github.com/osminogin).
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.14
 require (
 	github.com/go-pg/pg/v10 v10.0.0-beta.2
 	github.com/google/uuid v1.1.1
+	github.com/gorilla/csrf v1.7.0
 	github.com/gorilla/mux v1.7.4
 	github.com/segmentio/encoding v0.1.14 // indirect
 	github.com/spf13/viper v1.7.0
diff --git a/go.sum b/go.sum
@@ -109,8 +109,12 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/csrf v1.7.0 h1:mMPjV5/3Zd460xCavIkppUdvnl5fPXMpv2uz2Zyg7/Y=
+github.com/gorilla/csrf v1.7.0/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
 github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
 github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
@@ -184,6 +188,8 @@ github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
diff --git a/handlers.go b/handlers.go
@@ -22,12 +22,15 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
+	"github.com/gorilla/csrf"
 	"github.com/gorilla/mux"
 )
 
-// frontPageHandler render home page.
-func frontPageHandler(w http.ResponseWriter, r *http.Request) {
-	renderTemplate(w, "index.html", nil)
+// mainFormHandler renders main form.
+func mainFormHandler(w http.ResponseWriter, r *http.Request) {
+	renderTemplate(w, "index.html", map[string]interface{}{
+		csrf.TemplateTag: csrf.TemplateField(r),
+	})
 }
 
 // publicFileHandler get file from bindata or return not found error.
diff --git a/public/main.js b/public/main.js
@@ -22,11 +22,13 @@ $(document).ready(function() {
         var text = form.find("textarea").val();
         var secret = sjcl.codec.base64url.fromBits(sjcl.random.randomWords(5));
         var encrypted = sjcl.encrypt(secret, text);
+        let csrfToken = document.getElementsByName("csrf_token")[0].value;
 
         $.ajax({
             url: form.attr("action"),
             method: "POST",
             data: {body: encrypted.toString()},
+            headers: {"X-CSRF-Token": csrfToken},
             success: function(id) {
                 var link = window.location.href.toString() + id + "#" + secret;
                 $("#secret_link").text(link);
diff --git a/server.go b/server.go
@@ -17,24 +17,26 @@
 package tornote
 
 import (
+	"crypto/sha256"
 	"fmt"
 	"log"
 	"net/http"
 
 	"github.com/go-pg/pg/v10"
 	"github.com/go-pg/pg/v10/orm"
+	"github.com/gorilla/csrf"
 	"github.com/gorilla/mux"
 )
 
 type server struct {
 	// Listen port
 	Port uint64
 	// Secret used for encryption/decription
-	Key  string
+	Key string
 	// Data source name
 	DSN string
 	// PostgreSQL connection
-	db   *pg.DB
+	db *pg.DB
 }
 
 type Server interface {
@@ -76,12 +78,27 @@ func (s *server) createSchema() error {
 	return nil
 }
 
-// Running daemon process.
+// Generate hash from server secret key.
+func (s *server) getSecretHash() []byte {
+	h := sha256.New()
+	h.Write([]byte("hello world\n"))
+	return h.Sum(nil)
+}
+
+// Running server.
 func (s *server) Run() error {
 	r := mux.NewRouter().StrictSlash(true)
 
+	// Setup middlewares
+	csrfMiddleware := csrf.Protect(
+		s.getSecretHash(),
+		csrf.FieldName("csrf_token"),
+		csrf.SameSite(csrf.SameSiteStrictMode),
+	)
+	r.Use(csrfMiddleware)
+
 	// HTTP handlers
-	r.HandleFunc("/", frontPageHandler).Methods("GET")
+	r.HandleFunc("/", mainFormHandler).Methods("GET")
 	//r.PathPrefix("/favicon.ico").HandlerFunc(publicFileHandler).Methods("GET")
 	r.PathPrefix("/public/").HandlerFunc(publicFileHandler).Methods("GET")
 	r.Handle("/note", createNoteHandler(s)).Methods("POST")
diff --git a/templates/index.html b/templates/index.html
@@ -8,9 +8,10 @@
     </div>
 </noscript>
 
-<!-- Submit form -->
+<!-- Main form -->
 <div id="main" class="hidden">
     <form id="note" action="/note" method="post">
+        {{ .csrfField }}
         <div class="form-group">
             <label for="note">
                 Write your note below
