diff --git a/alby.go b/alby.go index 9baf3841..bc5dba29 100644 --- a/alby.go +++ b/alby.go @@ -153,6 +153,7 @@ func (svc *AlbyOAuthService) AuthHandler(c echo.Context) error { if (sess.Values["user_id"] != nil) { delete(sess.Values, "user_id") sess.Options.MaxAge = 0 + sess.Options.SameSite = http.SameSiteLaxMode if svc.cfg.CookieDomain != "" { sess.Options.Domain = svc.cfg.CookieDomain } @@ -203,6 +204,7 @@ func (svc *AlbyOAuthService) CallbackHandler(c echo.Context) error { sess, _ := session.Get(CookieName, c) sess.Options.MaxAge = 0 + sess.Options.SameSite = http.SameSiteLaxMode if svc.cfg.CookieDomain != "" { sess.Options.Domain = svc.cfg.CookieDomain } diff --git a/echo_handlers.go b/echo_handlers.go index e9a3f60a..eab35c1c 100644 --- a/echo_handlers.go +++ b/echo_handlers.go @@ -64,6 +64,9 @@ func (svc *Service) RegisterSharedRoutes(e *echo.Echo) { e.Use(middleware.Recover()) e.Use(middleware.RequestID()) + e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{ + TokenLookup: "form:_csrf", + })) e.Use(session.Middleware(sessions.NewCookieStore([]byte(svc.cfg.CookieSecret)))) e.Use(ddEcho.Middleware(ddEcho.WithServiceName("nostr-wallet-connect"))) @@ -90,6 +93,7 @@ func (svc *Service) IndexHandler(c echo.Context) error { if user != nil && returnTo != nil { delete(sess.Values, "return_to") sess.Options.MaxAge = 0 + sess.Options.SameSite = http.SameSiteLaxMode if svc.cfg.CookieDomain != "" { sess.Options.Domain = svc.cfg.CookieDomain } @@ -143,6 +147,7 @@ func (svc *Service) AppsListHandler(c echo.Context) error { } func (svc *Service) AppsShowHandler(c echo.Context) error { + csrf, _ := c.Get(middleware.DefaultCSRFConfig.ContextKey).(string) user, err := svc.GetUser(c) if err != nil { return err @@ -179,6 +184,7 @@ func (svc *Service) AppsShowHandler(c echo.Context) error { "EventsCount": eventsCount, "BudgetUsage": budgetUsage, "RenewsIn": renewsIn, + "Csrf": csrf, }) } @@ -217,6 +223,7 @@ func (svc *Service) AppsNewHandler(c echo.Context) error { expiresAt := c.QueryParam("expires_at") // YYYY-MM-DD or MM/DD/YYYY disabled := c.QueryParam("editable") == "false" budgetEnabled := maxAmount != "" || budgetRenewal != "" + csrf, _ := c.Get(middleware.DefaultCSRFConfig.ContextKey).(string) user, err := svc.GetUser(c) if err != nil { @@ -226,6 +233,7 @@ func (svc *Service) AppsNewHandler(c echo.Context) error { sess, _ := session.Get(CookieName, c) sess.Values["return_to"] = c.Path() + "?" + c.QueryString() sess.Options.MaxAge = 0 + sess.Options.SameSite = http.SameSiteLaxMode if svc.cfg.CookieDomain != "" { sess.Options.Domain = svc.cfg.CookieDomain } @@ -243,6 +251,7 @@ func (svc *Service) AppsNewHandler(c echo.Context) error { "ExpiresAt": expiresAt, "BudgetEnabled": budgetEnabled, "Disabled": disabled, + "Csrf": csrf, }) } diff --git a/views/apps/new.html b/views/apps/new.html index 272b1514..252621ad 100644 --- a/views/apps/new.html +++ b/views/apps/new.html @@ -28,6 +28,7 @@

+ {{ if eq .Name "" }} diff --git a/views/apps/show.html b/views/apps/show.html index 64c6b019..67c661fa 100644 --- a/views/apps/show.html +++ b/views/apps/show.html @@ -66,6 +66,7 @@

Danger zone

+