go,tmpl: use CSRF token in relevant places

2023-08-05 21:43:45 +02:00 · 2023-08-05 21:43:45 +02:00 · 536b5909c8
parent 393b1af830
commit 536b5909c8
5 changed files with 13 additions and 1 deletions
--- a/handlers/home.go
+++ b/handlers/home.go
@ -67,6 +67,8 @@ func Home(client *ent.Client) echo.HandlerFunc {
 			)
 		}

+		csrf := c.Get("csrf").(string)
+
 		err := c.Render(http.StatusOK, "home.tmpl",
 			page{
 				AppName:   setting.AppName(),
@ -74,6 +76,7 @@ func Home(client *ent.Client) echo.HandlerFunc {
 				Title:     "Home",
 				Name:      username,
 				DevelMode: setting.IsDevel(),
+				CSRF:      csrf,
 				Current:   "home",
 				User:      u,
 			},
--- a/handlers/logout.go
+++ b/handlers/logout.go
@ -14,6 +14,8 @@ func Logout() echo.HandlerFunc {
 	return func(c echo.Context) error {
 		addHeaders(c)

+		csrf := c.Get("csrf").(string)
+
 		switch {
 		case c.Request().Method == "POST":
 			sess, _ := session.Get(setting.SessionCookieName(), c)
@ -41,6 +43,7 @@ func Logout() echo.HandlerFunc {
 					AppName:   setting.AppName(),
 					AppVer:    appver,
 					Title:     "Logout",
+					CSRF:      csrf,
 					DevelMode: setting.IsDevel(),
 					Current:   "logout",
 				},
--- a/handlers/signin.go
+++ b/handlers/signin.go
@ -27,6 +27,8 @@ func Signin() echo.HandlerFunc {
 			}
 		}

+		csrf := c.Get("csrf").(string)
+
 		return c.Render(
 			http.StatusOK,
 			"signin.tmpl",
@ -34,6 +36,7 @@ func Signin() echo.HandlerFunc {
 				AppName:   setting.AppName(),
 				AppVer:    appver,
 				Title:     "Sign in",
+				CSRF:      csrf,
 				DevelMode: setting.IsDevel(),
 				Current:   "signin",
 			},
@ -55,12 +58,14 @@ func SigninPost(client *ent.Client) echo.HandlerFunc {
 			)
 		}

+		csrf := c.Get("csrf").(string)
 		username := cu.Username
 		password := cu.Password
 		p := page{
 			AppName:   setting.AppName(),
 			AppVer:    appver,
 			Title:     "Sign in",
+			CSRF:      csrf,
 			DevelMode: setting.IsDevel(),
 			Current:   "signin",
 		}
--- a/templates/signin.tmpl
+++ b/templates/signin.tmpl
@ -14,6 +14,7 @@
 			</div>
 			<div class="mt-8 lg:w-1/2 lg:mt-0">
 				<form method="post" class="w-full lg:max-w-xl">
+					<input type="hidden" name="csrf" value="{{- .CSRF -}}">
 					{{ if and .Data .Data.flash }}
 					<div class="relative flex items-center mb-4">
 						<p class="mt-2 text-md text-rose-800 dark:text-rose-500"><span class="font-medium">Error:</span> {{.Data.flash}}</p>
--- a/templates/signup.tmpl
+++ b/templates/signup.tmpl
@ -13,7 +13,7 @@
 			</div>
 			<div class="mt-8 lg:w-1/2 lg:mt-0">
 				<form method="post" class="w-full lg:max-w-xl">
-					<input type="hidden" name="_csrf" value="{{- .CSRF -}}">
+					<input type="hidden" name="csrf" value="{{- .CSRF -}}">
 					<div class="relative flex items-center">
 						<span class="absolute" role="img" aria-label="person outline icon for username">
 							{{ template "svg-user.tmpl" }}