routes: regroup, reorganise, break out csrf config

app/routes.go

@@ -30,6 +30,8 @@ func (a *App) SetupRoutes() error {
 		return err
 	}
 
+	xsrf := a.csrfConfig()
+
 	// keep /static/* as a compatibility fallback for /assets.
 	e.GET(
 		"/static/*",
@@ -45,18 +47,18 @@ func (a *App) SetupRoutes() error {
 	e.GET("/assets/*", echo.WrapHandler(http.StripPrefix("/assets/", assets)), handlers.MiddlewareCache, compress)
 	e.HEAD("/assets/*", echo.WrapHandler(http.StripPrefix("/assets/", assets)), handlers.MiddlewareCache, compress)
 
-	base := e.Group("/")
+	e.GET("/healthz", handlers.Healthz())
+	e.GET("/health", handlers.Healthz())
 
-	base.GET("/healthz", handlers.Healthz())
-	base.GET("/health", handlers.Healthz())
+	base := e.Group("/", xsrf, compress)
 
-	base.GET("/", handlers.Index(), compress)
-	base.HEAD("/", handlers.Index(), compress)
-	base.GET("/signin", handlers.Signin(), compress)
+	base.GET("/", handlers.Index())
+	base.HEAD("/", handlers.Index())
+	base.GET("/signin", handlers.Signin())
 	base.POST("/signin", handlers.SigninPost(a.db))
-	base.GET("/signup", handlers.Signup(), compress)
+	base.GET("/signup", handlers.Signup())
 	base.POST("/signup", handlers.SignupPost(a.db))
-	base.GET("/home", handlers.Home(a.db), compress)
+	base.GET("/home", handlers.Home(a.db))
 
 	// handle weird attempts here.
 	e.POST("/signin/*", func(c echo.Context) error {
@@ -66,7 +68,7 @@ func (a *App) SetupRoutes() error {
 		return c.NoContent(http.StatusNotFound)
 	})
 
-	admin := e.Group("/manage", handlers.MiddlewareSession)
+	admin := e.Group("/manage", handlers.MiddlewareSession, xsrf)
 
 	admin.GET("/manage/api-keys", handlers.ManageAPIKeys())
 	admin.GET("/manage/users", handlers.ManageUsers())
@@ -79,7 +81,7 @@ func (a *App) SetupRoutes() error {
 	admin.POST("/manage/users/:id/delete", handlers.DeleteUser())
 
 	e.GET("/logout", handlers.Logout(), compress)
-	e.POST("/logout", handlers.Logout(), handlers.MiddlewareSession)
+	e.POST("/logout", handlers.Logout(), handlers.MiddlewareSession, xsrf)
 
 	// administrative endpoints.
 	e.GET("/admin/*", handlers.Admin())

app/server.go

@@ -120,6 +120,16 @@ func (a *App) SetServerSettings() {
 
 	e.Use(session.Middleware(store))
 
+	e.Use(middleware.Secure())
+
+	if a.setting.HTTPGzipEnabled() {
+		e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
+			Level: a.setting.HTTPGzipLevel(),
+		}))
+	}
+}
+
+func (a *App) csrfConfig() echo.MiddlewareFunc {
 	csrfCookieName := "pcmt_csrf"
 	if a.setting.HTTPSecure() {
 		// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
@@ -128,7 +138,7 @@ func (a *App) SetServerSettings() {
 		csrfCookieName = "__Host-" + csrfCookieName
 	}
 
-	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+	return middleware.CSRFWithConfig(middleware.CSRFConfig{
 		TokenLookup: "cookie:" + csrfCookieName +
 			",form:csrf,header:" + echo.HeaderXCSRFToken,
 		CookieName: csrfCookieName,
@@ -138,14 +148,6 @@ func (a *App) SetServerSettings() {
 		CookieHTTPOnly: true,
 		CookieSameSite: http.SameSiteStrictMode,
 		CookieMaxAge:   a.setting.SessionMaxAge(),
-	}),
+	},
 	)
-
-	e.Use(middleware.Secure())
-
-	if a.setting.HTTPGzipEnabled() {
-		e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
-			Level: a.setting.HTTPGzipLevel(),
-		}))
-	}
 }