🔒 Improved CSRF middleware configuration

2022-02-08 01:34:03 +05:00 · 2022-02-08 01:34:03 +05:00 · 98b6d77dc1
parent e463a437ee
commit 98b6d77dc1
2 changed files with 14 additions and 8 deletions
--- a/internal/auth/delivery/http/auth_http.go
+++ b/internal/auth/delivery/http/auth_http.go
@ -123,13 +123,15 @@ func (h *RequestHandler) Register(r *router.Router) {
 	chain := middleware.Chain{
 		middleware.CSRFWithConfig(middleware.CSRFConfig{
 			Skipper: func(ctx *http.RequestCtx) bool {
-				return ctx.IsPost() && string(ctx.Path()) == "/authorize"
+				matched, _ := path.Match("/authorize*", string(ctx.Path()))
+
+				return ctx.IsPost() && matched
 			},
 			CookieMaxAge:   0,
 			CookieSameSite: http.CookieSameSiteStrictMode,
-			ContextKey:     "",
-			CookieDomain:   "",
-			CookieName:     "_csrf",
+			ContextKey:     "csrf",
+			CookieDomain:   h.config.Server.Domain,
+			CookieName:     "__Secure-csrf",
 			CookiePath:     "",
 			TokenLookup:    "form:_csrf",
 			TokenLength:    0,
@ -226,6 +228,7 @@ func (h *RequestHandler) handleRender(ctx *http.RequestCtx) {
 }

 func (h *RequestHandler) handleVerify(ctx *http.RequestCtx) {
+	ctx.Response.Header.Set(http.HeaderAccessControlAllowOrigin, h.config.Server.Domain)
 	ctx.SetContentType(common.MIMEApplicationJSONCharsetUTF8)

 	encoder := json.NewEncoder(ctx)
@ -399,6 +402,7 @@ func NewAuthVerifyRequest() *AuthVerifyRequest {
 	}
 }

+//nolint: funlen
 func (r *AuthVerifyRequest) bind(ctx *http.RequestCtx) error {
 	indieAuthError := new(domain.Error)

--- a/internal/ticket/delivery/http/ticket_http.go
+++ b/internal/ticket/delivery/http/ticket_http.go
@ -65,10 +65,10 @@ func (h *RequestHandler) Register(r *router.Router) {
 				return ctx.IsPost() && matched
 			},
 			CookieMaxAge:   0,
-			CookieSameSite: http.CookieSameSiteLaxMode,
+			CookieSameSite: http.CookieSameSiteStrictMode,
 			ContextKey:     "csrf",
-			CookieDomain:   "",
-			CookieName:     "_csrf",
+			CookieDomain:   h.config.Server.Domain,
+			CookieName:     "__Secure-csrf",
 			CookiePath:     "",
 			TokenLookup:    "form:_csrf",
 			TokenLength:    0,
@ -88,7 +88,8 @@ func (h *RequestHandler) Register(r *router.Router) {
 			SigningMethod:           jwa.SignatureAlgorithm(h.config.JWT.Algorithm),
 			Skipper:                 middleware.DefaultSkipper,
 			SuccessHandler:          nil,
-			TokenLookup:             middleware.SourceHeader + ":" + http.HeaderAuthorization,
+			TokenLookup: middleware.SourceHeader + ":" + http.HeaderAuthorization +
+				"," + middleware.SourceCookie + ":" + "__Secure-auth-token",
 		}),
 		middleware.LogFmt(),
 	}
@ -117,6 +118,7 @@ func (h *RequestHandler) handleRender(ctx *http.RequestCtx) {
 }

 func (h *RequestHandler) handleSend(ctx *http.RequestCtx) {
+	ctx.Response.Header.Set(http.HeaderAccessControlAllowOrigin, h.config.Server.Domain)
 	ctx.SetContentType(common.MIMEApplicationJSONCharsetUTF8)
 	ctx.SetStatusCode(http.StatusOK)