From 588f8c7c707cc0fc3fadf031dc9485591d396872 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Mon, 22 Mar 2021 22:51:37 +0100
Subject: [PATCH] add csrf

---
 assets/tpl/admin_create_clients.html  |  1 +
 assets/tpl/admin_edit_client.html     |  1 +
 assets/tpl/admin_edit_interface.html  |  1 +
 assets/tpl/admin_edit_user.html       |  3 ++-
 assets/tpl/login.html                 |  1 +
 go.mod                                |  3 +--
 internal/server/configuration.go      |  2 ++
 internal/server/handlers_auth.go      |  3 +++
 internal/server/handlers_common.go    |  9 +++------
 internal/server/handlers_interface.go |  5 +++--
 internal/server/handlers_peer.go      |  4 ++++
 internal/server/handlers_user.go      |  3 +++
 internal/server/server.go             | 10 +++++++++-
 internal/server/server_helper.go      |  3 +--
 14 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/assets/tpl/admin_create_clients.html b/assets/tpl/admin_create_clients.html
index ea233ce..e2a3b06 100644
--- a/assets/tpl/admin_create_clients.html
+++ b/assets/tpl/admin_create_clients.html
@@ -20,6 +20,7 @@
         <h2>Enter valid LDAP user email addresses to quickly create new accounts.</h2>
         {{template "prt_flashes.html" .}}
         <form method="post" enctype="multipart/form-data">
+            <input type="hidden" name="_csrf" value="{{.Csrf}}">
             <div class="form-row">
                 <div class="form-group required col-md-12">
                     <label for="inputEmail">Email Addresses</label>
diff --git a/assets/tpl/admin_edit_client.html b/assets/tpl/admin_edit_client.html
index f42338c..4a429aa 100644
--- a/assets/tpl/admin_edit_client.html
+++ b/assets/tpl/admin_edit_client.html
@@ -22,6 +22,7 @@
         {{template "prt_flashes.html" .}}
 
         <form method="post" enctype="multipart/form-data">
+            <input type="hidden" name="_csrf" value="{{.Csrf}}">
             <input type="hidden" name="uid" value="{{.Peer.UID}}">
             {{if .EditableKeys}}
                 <div class="form-row">
diff --git a/assets/tpl/admin_edit_interface.html b/assets/tpl/admin_edit_interface.html
index dd6e391..ca6add4 100644
--- a/assets/tpl/admin_edit_interface.html
+++ b/assets/tpl/admin_edit_interface.html
@@ -17,6 +17,7 @@
         {{template "prt_flashes.html" .}}
 
         <form method="post" enctype="multipart/form-data">
+            <input type="hidden" name="_csrf" value="{{.Csrf}}">
             <input type="hidden" name="device" value="{{.Device.DeviceName}}">
             <h3>Server's interface configuration</h3>
             {{if .EditableKeys}}
diff --git a/assets/tpl/admin_edit_user.html b/assets/tpl/admin_edit_user.html
index 166e98c..e42de7a 100644
--- a/assets/tpl/admin_edit_user.html
+++ b/assets/tpl/admin_edit_user.html
@@ -14,7 +14,7 @@
 {{template "prt_nav.html" .}}
 <div class="container mt-5">
     {{if eq .User.CreatedAt .Epoch}}
-    <h1>Create a new user</h1><!-- fix me!!! -.>
+    <h1>Create a new user</h1>
     {{else}}
     <h1>Edit user <strong>{{.User.Email}}</strong></h1>
     {{end}}
@@ -22,6 +22,7 @@
     {{template "prt_flashes.html" .}}
 
     <form method="post" enctype="multipart/form-data">
+        <input type="hidden" name="_csrf" value="{{.Csrf}}">
         {{if eq .User.CreatedAt .Epoch}}
         <div class="form-row">
             <div class="form-group required col-md-12">
diff --git a/assets/tpl/login.html b/assets/tpl/login.html
index 021b777..a6b6287 100644
--- a/assets/tpl/login.html
+++ b/assets/tpl/login.html
@@ -19,6 +19,7 @@
             <div class="card-header">Please sign in</div>
             <div class="card-body">
                 <form class="form-signin" method="post">
+                    <input type="hidden" name="_csrf" value="{{.Csrf}}">
                     <div class="form-group">
                         <label for="inputUsername">Email</label>
                         <input type="text" name="username" class="form-control" id="inputUsername" aria-describedby="usernameHelp" placeholder="Enter email">
diff --git a/go.mod b/go.mod
index 9e3e5fc..27c93e4 100644
--- a/go.mod
+++ b/go.mod
@@ -11,13 +11,12 @@ require (
 	github.com/jordan-wright/email v4.0.1-0.20200917010138-e1c00e156980+incompatible
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/milosgajdos/tenus v0.0.3
-	github.com/mitchellh/gox v1.0.1 // indirect
-	github.com/necrose99/gox v0.4.0 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.7.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tatsushid/go-fastping v0.0.0-20160109021039-d7bb493dee3e
 	github.com/toorop/gin-logrus v0.0.0-20200831135515-d2ee50d38dae
+	github.com/utrack/gin-csrf v0.0.0-20190424104817-40fb8d2c8fca
 	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b
 	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
diff --git a/internal/server/configuration.go b/internal/server/configuration.go
index a88d964..bb985b0 100644
--- a/internal/server/configuration.go
+++ b/internal/server/configuration.go
@@ -65,6 +65,7 @@ type Config struct {
 		EditableKeys      bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
 		CreateDefaultPeer bool   `yaml:"createDefaultPeer" envconfig:"CREATE_DEFAULT_PEER"`
 		LdapEnabled       bool   `yaml:"ldapEnabled" envconfig:"LDAP_ENABLED"`
+		SessionSecret     string `yaml:"sessionSecret" envconfig:"SESSION_SECRET"`
 	} `yaml:"core"`
 	Database common.DatabaseConfig `yaml:"database"`
 	Email    common.MailConfig     `yaml:"email"`
@@ -84,6 +85,7 @@ func NewConfig() *Config {
 	cfg.Core.AdminUser = "admin@wgportal.local"
 	cfg.Core.AdminPassword = "wgportal"
 	cfg.Core.LdapEnabled = false
+	cfg.Core.SessionSecret = "secret"
 
 	cfg.Database.Typ = "sqlite"
 	cfg.Database.Database = "data/wg_portal.db"
diff --git a/internal/server/handlers_auth.go b/internal/server/handlers_auth.go
index 88fc435..20a5175 100644
--- a/internal/server/handlers_auth.go
+++ b/internal/server/handlers_auth.go
@@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"
 
+	csrf "github.com/utrack/gin-csrf"
+
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/authentication"
 	"github.com/h44z/wg-portal/internal/users"
@@ -31,6 +33,7 @@ func (s *Server) GetLogin(c *gin.Context) {
 		"error":   authError != "",
 		"message": errMsg,
 		"static":  s.getStaticData(),
+		"Csrf":    csrf.GetToken(c),
 	})
 }
 
diff --git a/internal/server/handlers_common.go b/internal/server/handlers_common.go
index 054acb8..84e028a 100644
--- a/internal/server/handlers_common.go
+++ b/internal/server/handlers_common.go
@@ -4,13 +4,10 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/h44z/wg-portal/internal/users"
-
-	"github.com/h44z/wg-portal/internal/common"
-
-	"github.com/pkg/errors"
-
 	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/common"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/pkg/errors"
 )
 
 func (s *Server) GetHandleError(c *gin.Context, code int, message, details string) {
diff --git a/internal/server/handlers_interface.go b/internal/server/handlers_interface.go
index d3f3655..3b960f6 100644
--- a/internal/server/handlers_interface.go
+++ b/internal/server/handlers_interface.go
@@ -4,10 +4,10 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/h44z/wg-portal/internal/wireguard"
-
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/common"
+	"github.com/h44z/wg-portal/internal/wireguard"
+	csrf "github.com/utrack/gin-csrf"
 )
 
 func (s *Server) GetAdminEditInterface(c *gin.Context) {
@@ -27,6 +27,7 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
 		"Device":       currentSession.FormData.(wireguard.Device),
 		"EditableKeys": s.config.Core.EditableKeys,
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }
 
diff --git a/internal/server/handlers_peer.go b/internal/server/handlers_peer.go
index b1a530d..2b9211d 100644
--- a/internal/server/handlers_peer.go
+++ b/internal/server/handlers_peer.go
@@ -14,6 +14,7 @@ import (
 	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/sirupsen/logrus"
 	"github.com/tatsushid/go-fastping"
+	csrf "github.com/utrack/gin-csrf"
 )
 
 type LdapCreateForm struct {
@@ -39,6 +40,7 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
 		"EditableKeys": s.config.Core.EditableKeys,
 		"Device":       s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }
 
@@ -99,6 +101,7 @@ func (s *Server) GetAdminCreatePeer(c *gin.Context) {
 		"EditableKeys": s.config.Core.EditableKeys,
 		"Device":       s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }
 
@@ -154,6 +157,7 @@ func (s *Server) GetAdminCreateLdapPeers(c *gin.Context) {
 		"FormData":    currentSession.FormData.(LdapCreateForm),
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
+		"Csrf":        csrf.GetToken(c),
 	})
 }
 
diff --git a/internal/server/handlers_user.go b/internal/server/handlers_user.go
index da8df70..17e9ff4 100644
--- a/internal/server/handlers_user.go
+++ b/internal/server/handlers_user.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/users"
+	csrf "github.com/utrack/gin-csrf"
 	"golang.org/x/crypto/bcrypt"
 	"gorm.io/gorm"
 )
@@ -79,6 +80,7 @@ func (s *Server) GetAdminUsersEdit(c *gin.Context) {
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
 		"Epoch":       time.Time{},
+		"Csrf":        csrf.GetToken(c),
 	})
 }
 
@@ -156,6 +158,7 @@ func (s *Server) GetAdminUsersCreate(c *gin.Context) {
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
 		"Epoch":       time.Time{},
+		"Csrf":        csrf.GetToken(c),
 	})
 }
 
diff --git a/internal/server/server.go b/internal/server/server.go
index 54b14f3..432dd2d 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -26,6 +26,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	ginlogrus "github.com/toorop/gin-logrus"
+	csrf "github.com/utrack/gin-csrf"
 	"gorm.io/gorm"
 )
 
@@ -111,6 +112,14 @@ func (s *Server) Setup(ctx context.Context) error {
 		s.server.Use(ginlogrus.Logger(logrus.StandardLogger()))
 	}
 	s.server.Use(gin.Recovery())
+	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte(s.config.Core.SessionSecret))))
+	s.server.Use(csrf.Middleware(csrf.Options{
+		Secret: s.config.Core.SessionSecret,
+		ErrorFunc: func(c *gin.Context) {
+			c.String(400, "CSRF token mismatch")
+			c.Abort()
+		},
+	}))
 	s.server.SetFuncMap(template.FuncMap{
 		"formatBytes": common.ByteCountSI,
 		"urlEncode":   url.QueryEscape,
@@ -128,7 +137,6 @@ func (s *Server) Setup(ctx context.Context) error {
 	// Setup templates
 	templates := template.Must(template.New("").Funcs(s.server.FuncMap).ParseFS(wgportal.Templates, "assets/tpl/*.html"))
 	s.server.SetHTMLTemplate(templates)
-	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte("secret")))) // TODO: change key?
 
 	// Serve static files
 	s.server.StaticFS("/css", http.FS(fsMust(fs.Sub(wgportal.Statics, "assets/css"))))
diff --git a/internal/server/server_helper.go b/internal/server/server_helper.go
index 177a4fe..cbe3e9c 100644
--- a/internal/server/server_helper.go
+++ b/internal/server/server_helper.go
@@ -8,10 +8,9 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/h44z/wg-portal/internal/wireguard"
-
 	"github.com/h44z/wg-portal/internal/common"
 	"github.com/h44z/wg-portal/internal/users"
+	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"