feat(webui): add csrf tokens to all forms processing code

Closes #60
2025-05-01 08:37:28 +02:00 · 2025-05-01 08:37:28 +02:00 · 5d7b540718
commit 5d7b540718
parent 895615ad6e
15 changed files with 71 additions and 2 deletions
--- a/pkg/webui/csrf.go
+++ b/pkg/webui/csrf.go
@ -0,0 +1,30 @@
+package webui
+
+import (
+	"fmt"
+	"net/http"
+
+	"git.adyxax.org/adyxax/tfstated/pkg/model"
+	"go.n16f.net/uuid"
+)
+
+func verifyCSRFToken(w http.ResponseWriter, r *http.Request) bool {
+	session := r.Context().Value(model.SessionContextKey{}).(*model.Session)
+	tokenStr := r.FormValue("csrf_token")
+	if tokenStr == "" {
+		tokenStr = r.Header.Get("X-XSRF-Token")
+	}
+	var token uuid.UUID
+	if err := token.Parse(tokenStr); err != nil {
+		errorResponse(w, r, http.StatusBadRequest,
+			fmt.Errorf("failed to parse csrf token: %w", err))
+		return false
+	}
+
+	if !token.Equal(session.Data.CsrfToken) {
+		errorResponse(w, r, http.StatusForbidden,
+			fmt.Errorf("invalid csrf token"))
+		return false
+	}
+	return true
+}