mirre-mt/pcmt
1
0
Fork 0
Code Issues 6 Pull Requests Releases 4 Activity

go: fix csrf issues
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
surtur 2023-08-03 14:49:21 +02:00
parent 044ed583b9
commit 118c34dac6
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
app/echoSettings.go
View File

@ -10,6 +10,7 @@ import (
"github.com/gorilla/sessions" "github.com/gorilla/sessions"
"github.com/labstack/echo-contrib/session" "github.com/labstack/echo-contrib/session"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware" "github.com/labstack/echo/v4/middleware"
"golang.org/x/time/rate" "golang.org/x/time/rate"
) )
@ -119,12 +120,18 @@ func (a *App) SetEchoSettings() {
e.Use(session.Middleware(store)) e.Use(session.Middleware(store))
// e.Use(middleware.CSRF()) csrfCookieName := "pcmt_csrf"
if a.setting.HTTPSecure() {
csrfCookieName = "__Secure-" + csrfCookieName
}
e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{ e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
TokenLookup: "cookie:_csrf", TokenLookup: "cookie:" + csrfCookieName +
CookiePath: "/", ",form:csrf,header:" + echo.HeaderXCSRFToken,
// CookieDomain: "example.com", CookieName: csrfCookieName,
// CookieSecure: true, ContextKey: "csrf",
// CookieDomain: "localhost",
CookieSecure: a.setting.HTTPSecure(),
CookieHTTPOnly: true, CookieHTTPOnly: true,
CookieSameSite: http.SameSiteStrictMode, CookieSameSite: http.SameSiteStrictMode,
}), }),