Merge pull request #102 from getAlby/task-csrf

feat: use csrf middleware

alby.go

@@ -153,6 +153,7 @@ func (svc *AlbyOAuthService) AuthHandler(c echo.Context) error {
 	if (sess.Values["user_id"] != nil) {
 		delete(sess.Values, "user_id")
 		sess.Options.MaxAge = 0
+		sess.Options.SameSite = http.SameSiteLaxMode
 		if svc.cfg.CookieDomain != "" {
 			sess.Options.Domain = svc.cfg.CookieDomain
 		}
@@ -203,6 +204,7 @@ func (svc *AlbyOAuthService) CallbackHandler(c echo.Context) error {
 
 	sess, _ := session.Get(CookieName, c)
 	sess.Options.MaxAge = 0
+	sess.Options.SameSite = http.SameSiteLaxMode
 	if svc.cfg.CookieDomain != "" {
 		sess.Options.Domain = svc.cfg.CookieDomain
 	}

echo_handlers.go

@@ -64,6 +64,9 @@ func (svc *Service) RegisterSharedRoutes(e *echo.Echo) {
 
 	e.Use(middleware.Recover())
 	e.Use(middleware.RequestID())
+	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+    TokenLookup: "form:_csrf",
+	}))
 	e.Use(session.Middleware(sessions.NewCookieStore([]byte(svc.cfg.CookieSecret))))
 	e.Use(ddEcho.Middleware(ddEcho.WithServiceName("nostr-wallet-connect")))
 
@@ -90,6 +93,7 @@ func (svc *Service) IndexHandler(c echo.Context) error {
 	if user != nil && returnTo != nil {
 		delete(sess.Values, "return_to")
 		sess.Options.MaxAge = 0
+		sess.Options.SameSite = http.SameSiteLaxMode
 		if svc.cfg.CookieDomain != "" {
 			sess.Options.Domain = svc.cfg.CookieDomain
 		}
@@ -143,6 +147,7 @@ func (svc *Service) AppsListHandler(c echo.Context) error {
 }
 
 func (svc *Service) AppsShowHandler(c echo.Context) error {
+	csrf, _ := c.Get(middleware.DefaultCSRFConfig.ContextKey).(string)
 	user, err := svc.GetUser(c)
 	if err != nil {
 		return err
@@ -179,6 +184,7 @@ func (svc *Service) AppsShowHandler(c echo.Context) error {
 		"EventsCount":   eventsCount,
 		"BudgetUsage":   budgetUsage,
 		"RenewsIn":      renewsIn,
+		"Csrf":          csrf,
 	})
 }
 
@@ -217,6 +223,7 @@ func (svc *Service) AppsNewHandler(c echo.Context) error {
 	expiresAt := c.QueryParam("expires_at") // YYYY-MM-DD or MM/DD/YYYY
 	disabled := c.QueryParam("editable") == "false"
 	budgetEnabled := maxAmount != "" || budgetRenewal != ""
+	csrf, _ := c.Get(middleware.DefaultCSRFConfig.ContextKey).(string)
 
 	user, err := svc.GetUser(c)
 	if err != nil {
@@ -226,6 +233,7 @@ func (svc *Service) AppsNewHandler(c echo.Context) error {
 		sess, _ := session.Get(CookieName, c)
 		sess.Values["return_to"] = c.Path() + "?" + c.QueryString()
 		sess.Options.MaxAge = 0
+		sess.Options.SameSite = http.SameSiteLaxMode
 		if svc.cfg.CookieDomain != "" {
 			sess.Options.Domain = svc.cfg.CookieDomain
 		}
@@ -243,6 +251,7 @@ func (svc *Service) AppsNewHandler(c echo.Context) error {
 		"ExpiresAt":     expiresAt,
 		"BudgetEnabled": budgetEnabled,
 		"Disabled":      disabled,
+		"Csrf":          csrf,
 	})
 }
 

views/apps/new.html

@@ -28,6 +28,7 @@ <h2 class="font-bold text-2xl font-headline mb-4 dark:text-white">
 
   <form method="POST" action="/apps" accept-charset="UTF-8">
     <div {{ if .Disabled }}class="opacity-80 pointer-events-none"{{ end }}>
+      <input type="hidden" name="_csrf" value="{{.Csrf}}">
       <input type="hidden" name="pubkey" value="{{.Pubkey}}" />
       <input type="hidden" name="returnTo" value="{{.ReturnTo}}" />
       {{ if eq .Name "" }}

views/apps/show.html

@@ -66,6 +66,7 @@ <h3 class="text-xl font-headline mb-2 dark:text-white">Danger zone</h3>
   </div>
 
   <form method="post" action="/apps/delete/{{.App.ID}}">
+    <input type="hidden" name="_csrf" value="{{.Csrf}}">
     <button type="submit"
       class="inline-flex bg-white border border-red-400 cursor-pointer dark:bg-surface-02dp dark:hover:bg-surface-16dp duration-150 focus-visible:ring-2 focus-visible:ring-offset-2 focus:outline-none font-medium hover:bg-gray-50 items-center justify-center px-5 py-3 rounded-md shadow text-gray-700 dark:text-neutral-300 transition w-full sm:w-[250px] sm:mr-8 mt-8 sm:mt-0 order-last sm:order-first">Disconnect</button>
   </form>