go: fix csrf issues

2023-08-03 14:49:21 +02:00 · 2023-08-03 14:49:21 +02:00 · 118c34dac6
commit 118c34dac6
parent 044ed583b9
1 changed files with 12 additions and 5 deletions
--- a/app/echoSettings.go
+++ b/app/echoSettings.go
@ -10,6 +10,7 @@ import (

 	"github.com/gorilla/sessions"
 	"github.com/labstack/echo-contrib/session"
+	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 	"golang.org/x/time/rate"
 )
@ -119,12 +120,18 @@ func (a *App) SetEchoSettings() {

 	e.Use(session.Middleware(store))

-	// e.Use(middleware.CSRF())
+	csrfCookieName := "pcmt_csrf"
+	if a.setting.HTTPSecure() {
+		csrfCookieName = "__Secure-" + csrfCookieName
+	}
+
 	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
-		TokenLookup: "cookie:_csrf",
-		CookiePath:  "/",
-		// CookieDomain:   "example.com",
-		// CookieSecure:   true,
+		TokenLookup: "cookie:" + csrfCookieName +
+			",form:csrf,header:" + echo.HeaderXCSRFToken,
+		CookieName: csrfCookieName,
+		ContextKey: "csrf",
+		// CookieDomain:   "localhost",
+		CookieSecure:   a.setting.HTTPSecure(),
 		CookieHTTPOnly: true,
 		CookieSameSite: http.SameSiteStrictMode,
 	}),