add csrf

2024-11-23 07:03:50 -05:00 · 2021-03-22 22:51:37 +01:00 · 2021-03-22 22:51:37 +01:00 · 588f8c7c70
commit 588f8c7c70
parent 68507c3bcd
14 changed files with 35 additions and 14 deletions
--- a/assets/tpl/admin_create_clients.html
+++ b/assets/tpl/admin_create_clients.html
@ -20,6 +20,7 @@
        <h2>Enter valid LDAP user email addresses to quickly create new accounts.</h2>
        {{template "prt_flashes.html" .}}
        <form method="post" enctype="multipart/form-data">
+            <input type="hidden" name="_csrf" value="{{.Csrf}}">
            <div class="form-row">
                <div class="form-group required col-md-12">
                    <label for="inputEmail">Email Addresses</label>
--- a/assets/tpl/admin_edit_client.html
+++ b/assets/tpl/admin_edit_client.html
@ -22,6 +22,7 @@
        {{template "prt_flashes.html" .}}

        <form method="post" enctype="multipart/form-data">
+            <input type="hidden" name="_csrf" value="{{.Csrf}}">
            <input type="hidden" name="uid" value="{{.Peer.UID}}">
            {{if .EditableKeys}}
                <div class="form-row">
--- a/assets/tpl/admin_edit_interface.html
+++ b/assets/tpl/admin_edit_interface.html
@ -17,6 +17,7 @@
        {{template "prt_flashes.html" .}}

        <form method="post" enctype="multipart/form-data">
+            <input type="hidden" name="_csrf" value="{{.Csrf}}">
            <input type="hidden" name="device" value="{{.Device.DeviceName}}">
            <h3>Server's interface configuration</h3>
            {{if .EditableKeys}}
--- a/assets/tpl/admin_edit_user.html
+++ b/assets/tpl/admin_edit_user.html
@ -14,7 +14,7 @@
 {{template "prt_nav.html" .}}
 <div class="container mt-5">
    {{if eq .User.CreatedAt .Epoch}}
-    <h1>Create a new user</h1><!-- fix me!!! -.>
+    <h1>Create a new user</h1>
    {{else}}
    <h1>Edit user <strong>{{.User.Email}}</strong></h1>
    {{end}}
@ -22,6 +22,7 @@
    {{template "prt_flashes.html" .}}

    <form method="post" enctype="multipart/form-data">
+        <input type="hidden" name="_csrf" value="{{.Csrf}}">
        {{if eq .User.CreatedAt .Epoch}}
        <div class="form-row">
            <div class="form-group required col-md-12">
--- a/assets/tpl/login.html
+++ b/assets/tpl/login.html
@ -19,6 +19,7 @@
            <div class="card-header">Please sign in</div>
            <div class="card-body">
                <form class="form-signin" method="post">
+                    <input type="hidden" name="_csrf" value="{{.Csrf}}">
                    <div class="form-group">
                        <label for="inputUsername">Email</label>
                        <input type="text" name="username" class="form-control" id="inputUsername" aria-describedby="usernameHelp" placeholder="Enter email">
--- a/go.mod
+++ b/go.mod
@ -11,13 +11,12 @@ require (
 	github.com/jordan-wright/email v4.0.1-0.20200917010138-e1c00e156980+incompatible
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/milosgajdos/tenus v0.0.3
-	github.com/mitchellh/gox v1.0.1 // indirect
-	github.com/necrose99/gox v0.4.0 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.7.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tatsushid/go-fastping v0.0.0-20160109021039-d7bb493dee3e
 	github.com/toorop/gin-logrus v0.0.0-20200831135515-d2ee50d38dae
+	github.com/utrack/gin-csrf v0.0.0-20190424104817-40fb8d2c8fca
 	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b
 	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
--- a/internal/server/configuration.go
+++ b/internal/server/configuration.go
@ -65,6 +65,7 @@ type Config struct {
 		EditableKeys      bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
 		CreateDefaultPeer bool   `yaml:"createDefaultPeer" envconfig:"CREATE_DEFAULT_PEER"`
 		LdapEnabled       bool   `yaml:"ldapEnabled" envconfig:"LDAP_ENABLED"`
+		SessionSecret     string `yaml:"sessionSecret" envconfig:"SESSION_SECRET"`
 	} `yaml:"core"`
 	Database common.DatabaseConfig `yaml:"database"`
 	Email    common.MailConfig     `yaml:"email"`
@ -84,6 +85,7 @@ func NewConfig() *Config {
 	cfg.Core.AdminUser = "admin@wgportal.local"
 	cfg.Core.AdminPassword = "wgportal"
 	cfg.Core.LdapEnabled = false
+	cfg.Core.SessionSecret = "secret"

 	cfg.Database.Typ = "sqlite"
 	cfg.Database.Database = "data/wg_portal.db"
--- a/internal/server/handlers_auth.go
+++ b/internal/server/handlers_auth.go
@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"

+	csrf "github.com/utrack/gin-csrf"
+
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/authentication"
 	"github.com/h44z/wg-portal/internal/users"
@ -31,6 +33,7 @@ func (s *Server) GetLogin(c *gin.Context) {
 		"error":   authError != "",
 		"message": errMsg,
 		"static":  s.getStaticData(),
+		"Csrf":    csrf.GetToken(c),
 	})
 }

--- a/internal/server/handlers_common.go
+++ b/internal/server/handlers_common.go
@ -4,13 +4,10 @@ import (
 	"net/http"
 	"strconv"

-	"github.com/h44z/wg-portal/internal/users"
-
-	"github.com/h44z/wg-portal/internal/common"
-
-	"github.com/pkg/errors"
-
 	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/common"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/pkg/errors"
 )

 func (s *Server) GetHandleError(c *gin.Context, code int, message, details string) {
--- a/internal/server/handlers_interface.go
+++ b/internal/server/handlers_interface.go
@ -4,10 +4,10 @@ import (
 	"net/http"
 	"strings"

-	"github.com/h44z/wg-portal/internal/wireguard"
-
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/common"
+	"github.com/h44z/wg-portal/internal/wireguard"
+	csrf "github.com/utrack/gin-csrf"
 )

 func (s *Server) GetAdminEditInterface(c *gin.Context) {
@ -27,6 +27,7 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
 		"Device":       currentSession.FormData.(wireguard.Device),
 		"EditableKeys": s.config.Core.EditableKeys,
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }

--- a/internal/server/handlers_peer.go
+++ b/internal/server/handlers_peer.go
@ -14,6 +14,7 @@ import (
 	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/sirupsen/logrus"
 	"github.com/tatsushid/go-fastping"
+	csrf "github.com/utrack/gin-csrf"
 )

 type LdapCreateForm struct {
@ -39,6 +40,7 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
 		"EditableKeys": s.config.Core.EditableKeys,
 		"Device":       s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }

@ -99,6 +101,7 @@ func (s *Server) GetAdminCreatePeer(c *gin.Context) {
 		"EditableKeys": s.config.Core.EditableKeys,
 		"Device":       s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }

@ -154,6 +157,7 @@ func (s *Server) GetAdminCreateLdapPeers(c *gin.Context) {
 		"FormData":    currentSession.FormData.(LdapCreateForm),
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
+		"Csrf":        csrf.GetToken(c),
 	})
 }

--- a/internal/server/handlers_user.go
+++ b/internal/server/handlers_user.go
@ -7,6 +7,7 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/users"
+	csrf "github.com/utrack/gin-csrf"
 	"golang.org/x/crypto/bcrypt"
 	"gorm.io/gorm"
 )
@ -79,6 +80,7 @@ func (s *Server) GetAdminUsersEdit(c *gin.Context) {
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
 		"Epoch":       time.Time{},
+		"Csrf":        csrf.GetToken(c),
 	})
 }

@ -156,6 +158,7 @@ func (s *Server) GetAdminUsersCreate(c *gin.Context) {
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
 		"Epoch":       time.Time{},
+		"Csrf":        csrf.GetToken(c),
 	})
 }

--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -26,6 +26,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	ginlogrus "github.com/toorop/gin-logrus"
+	csrf "github.com/utrack/gin-csrf"
 	"gorm.io/gorm"
 )

@ -111,6 +112,14 @@ func (s *Server) Setup(ctx context.Context) error {
 		s.server.Use(ginlogrus.Logger(logrus.StandardLogger()))
 	}
 	s.server.Use(gin.Recovery())
+	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte(s.config.Core.SessionSecret))))
+	s.server.Use(csrf.Middleware(csrf.Options{
+		Secret: s.config.Core.SessionSecret,
+		ErrorFunc: func(c *gin.Context) {
+			c.String(400, "CSRF token mismatch")
+			c.Abort()
+		},
+	}))
 	s.server.SetFuncMap(template.FuncMap{
 		"formatBytes": common.ByteCountSI,
 		"urlEncode":   url.QueryEscape,
@ -128,7 +137,6 @@ func (s *Server) Setup(ctx context.Context) error {
 	// Setup templates
 	templates := template.Must(template.New("").Funcs(s.server.FuncMap).ParseFS(wgportal.Templates, "assets/tpl/*.html"))
 	s.server.SetHTMLTemplate(templates)
-	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte("secret")))) // TODO: change key?

 	// Serve static files
 	s.server.StaticFS("/css", http.FS(fsMust(fs.Sub(wgportal.Statics, "assets/css"))))
--- a/internal/server/server_helper.go
+++ b/internal/server/server_helper.go
@ -8,10 +8,9 @@ import (
 	"syscall"
 	"time"

-	"github.com/h44z/wg-portal/internal/wireguard"
-
 	"github.com/h44z/wg-portal/internal/common"
 	"github.com/h44z/wg-portal/internal/users"
+	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"