From 118c34dac6173c4ca472b05946e2c578ede4ace0 Mon Sep 17 00:00:00 2001 From: surtur Date: Thu, 3 Aug 2023 14:49:21 +0200 Subject: [PATCH] go: fix csrf issues --- app/echoSettings.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/app/echoSettings.go b/app/echoSettings.go index e9f32b9..7d01413 100644 --- a/app/echoSettings.go +++ b/app/echoSettings.go @@ -10,6 +10,7 @@ import ( "github.com/gorilla/sessions" "github.com/labstack/echo-contrib/session" + "github.com/labstack/echo/v4" "github.com/labstack/echo/v4/middleware" "golang.org/x/time/rate" ) @@ -119,12 +120,18 @@ func (a *App) SetEchoSettings() { e.Use(session.Middleware(store)) - // e.Use(middleware.CSRF()) + csrfCookieName := "pcmt_csrf" + if a.setting.HTTPSecure() { + csrfCookieName = "__Secure-" + csrfCookieName + } + e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{ - TokenLookup: "cookie:_csrf", - CookiePath: "/", - // CookieDomain: "example.com", - // CookieSecure: true, + TokenLookup: "cookie:" + csrfCookieName + + ",form:csrf,header:" + echo.HeaderXCSRFToken, + CookieName: csrfCookieName, + ContextKey: "csrf", + // CookieDomain: "localhost", + CookieSecure: a.setting.HTTPSecure(), CookieHTTPOnly: true, CookieSameSite: http.SameSiteStrictMode, }),