routes: regroup, reorganise, break out csrf config
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
1b64571429
commit
7f87d0f2c2
|
@ -30,6 +30,8 @@ func (a *App) SetupRoutes() error {
|
|||
return err
|
||||
}
|
||||
|
||||
xsrf := a.csrfConfig()
|
||||
|
||||
// keep /static/* as a compatibility fallback for /assets.
|
||||
e.GET(
|
||||
"/static/*",
|
||||
|
@ -45,18 +47,18 @@ func (a *App) SetupRoutes() error {
|
|||
e.GET("/assets/*", echo.WrapHandler(http.StripPrefix("/assets/", assets)), handlers.MiddlewareCache, compress)
|
||||
e.HEAD("/assets/*", echo.WrapHandler(http.StripPrefix("/assets/", assets)), handlers.MiddlewareCache, compress)
|
||||
|
||||
base := e.Group("/")
|
||||
e.GET("/healthz", handlers.Healthz())
|
||||
e.GET("/health", handlers.Healthz())
|
||||
|
||||
base.GET("/healthz", handlers.Healthz())
|
||||
base.GET("/health", handlers.Healthz())
|
||||
base := e.Group("/", xsrf, compress)
|
||||
|
||||
base.GET("/", handlers.Index(), compress)
|
||||
base.HEAD("/", handlers.Index(), compress)
|
||||
base.GET("/signin", handlers.Signin(), compress)
|
||||
base.GET("/", handlers.Index())
|
||||
base.HEAD("/", handlers.Index())
|
||||
base.GET("/signin", handlers.Signin())
|
||||
base.POST("/signin", handlers.SigninPost(a.db))
|
||||
base.GET("/signup", handlers.Signup(), compress)
|
||||
base.GET("/signup", handlers.Signup())
|
||||
base.POST("/signup", handlers.SignupPost(a.db))
|
||||
base.GET("/home", handlers.Home(a.db), compress)
|
||||
base.GET("/home", handlers.Home(a.db))
|
||||
|
||||
// handle weird attempts here.
|
||||
e.POST("/signin/*", func(c echo.Context) error {
|
||||
|
@ -66,7 +68,7 @@ func (a *App) SetupRoutes() error {
|
|||
return c.NoContent(http.StatusNotFound)
|
||||
})
|
||||
|
||||
admin := e.Group("/manage", handlers.MiddlewareSession)
|
||||
admin := e.Group("/manage", handlers.MiddlewareSession, xsrf)
|
||||
|
||||
admin.GET("/manage/api-keys", handlers.ManageAPIKeys())
|
||||
admin.GET("/manage/users", handlers.ManageUsers())
|
||||
|
@ -79,7 +81,7 @@ func (a *App) SetupRoutes() error {
|
|||
admin.POST("/manage/users/:id/delete", handlers.DeleteUser())
|
||||
|
||||
e.GET("/logout", handlers.Logout(), compress)
|
||||
e.POST("/logout", handlers.Logout(), handlers.MiddlewareSession)
|
||||
e.POST("/logout", handlers.Logout(), handlers.MiddlewareSession, xsrf)
|
||||
|
||||
// administrative endpoints.
|
||||
e.GET("/admin/*", handlers.Admin())
|
||||
|
|
|
@ -120,6 +120,16 @@ func (a *App) SetServerSettings() {
|
|||
|
||||
e.Use(session.Middleware(store))
|
||||
|
||||
e.Use(middleware.Secure())
|
||||
|
||||
if a.setting.HTTPGzipEnabled() {
|
||||
e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
|
||||
Level: a.setting.HTTPGzipLevel(),
|
||||
}))
|
||||
}
|
||||
}
|
||||
|
||||
func (a *App) csrfConfig() echo.MiddlewareFunc {
|
||||
csrfCookieName := "pcmt_csrf"
|
||||
if a.setting.HTTPSecure() {
|
||||
// https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
|
||||
|
@ -128,7 +138,7 @@ func (a *App) SetServerSettings() {
|
|||
csrfCookieName = "__Host-" + csrfCookieName
|
||||
}
|
||||
|
||||
e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
|
||||
return middleware.CSRFWithConfig(middleware.CSRFConfig{
|
||||
TokenLookup: "cookie:" + csrfCookieName +
|
||||
",form:csrf,header:" + echo.HeaderXCSRFToken,
|
||||
CookieName: csrfCookieName,
|
||||
|
@ -138,14 +148,6 @@ func (a *App) SetServerSettings() {
|
|||
CookieHTTPOnly: true,
|
||||
CookieSameSite: http.SameSiteStrictMode,
|
||||
CookieMaxAge: a.setting.SessionMaxAge(),
|
||||
}),
|
||||
},
|
||||
)
|
||||
|
||||
e.Use(middleware.Secure())
|
||||
|
||||
if a.setting.HTTPGzipEnabled() {
|
||||
e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
|
||||
Level: a.setting.HTTPGzipLevel(),
|
||||
}))
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue