Csrf

.dockerignore

@@ -0,0 +1,4 @@
+db-data
+/cmd/server/db-data
+.git
+.gitignore

cmd/server/main.go

@@ -2,16 +2,16 @@ package main
 
 import (
 	"context"
+	"kudago/internal/db"
 	"log"
 	"net/http"
 
-	"kudago/internal/db"
-
 	"kudago/config"
 	_ "kudago/docs"
 	"kudago/internal/http/auth"
 	"kudago/internal/http/events"
 	"kudago/internal/middleware"
+	csrfRepository "kudago/internal/repository/csrf"
 	eventRepository "kudago/internal/repository/events"
 	sessionRepository "kudago/internal/repository/session"
 	userRepository "kudago/internal/repository/users"
@@ -33,6 +33,7 @@ import (
 
 func main() {
 	port := config.LoadConfig()
+	encryptionKey := config.LoadEncriptionKey()
 
 	logger, err := zap.NewProduction()
 	if err != nil {
@@ -55,9 +56,10 @@ func main() {
 
 	userDB := userRepository.NewDB(pool)
 	sessionDB := sessionRepository.NewDB(redisClient)
+	csrfDB := csrfRepository.NewDB(redisClient)
 	eventDB := eventRepository.NewDB(pool)
 
-	authService := authService.NewService(userDB, sessionDB)
+	authService := authService.NewService(userDB, sessionDB, csrfDB)
 	eventService := eventService.NewService(eventDB)
 
 	authHandler := auth.NewAuthHandler(&authService)
@@ -96,7 +98,7 @@ func main() {
 		"/categories",
 	}
 
-	handlerWithAuth := middleware.AuthMiddleware(whitelist, authHandler, r)
+	handlerWithAuth := middleware.AuthWithCSRFMiddleware(whitelist, authHandler, encryptionKey, r)
 	handlerWithCORS := middleware.CORSMiddleware(handlerWithAuth)
 	handlerWithLogging := middleware.LoggingMiddleware(handlerWithCORS, sugar)
 	handler := middleware.PanicMiddleware(handlerWithLogging)

config/config.go

@@ -18,3 +18,8 @@ func LoadConfig() string {
 	log.Printf("Используется порт: %s", port)
 	return port
 }
+
+func LoadEncriptionKey() []byte {
+	key := os.Getenv("ENCRYPTION_KEY")
+	return []byte(key)
+}

docker-compose.yml

@@ -8,10 +8,7 @@ services:
       - "8080:8080"
     depends_on:
       - postgres
-    environment:
-      POSTGRES_DB: kudago_db
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      - redis
     env_file:
       - .env
     volumes:
@@ -26,11 +23,14 @@ services:
     ports:
       - "5432:5432"
     volumes:
-      - postgres_data:/var/lib/postgresql/data
+      - ${PWD}/db-data/:/var/lib/postgresql/data/
   redis:
     image: redis:latest
     ports:
-    - "6379:6379" 
+    - "6379:6379"
+    command: [ "redis-server", "--requirepass", "${REDIS_PASSWORD}" ]
+    env_file:
+        - .env
 
 volumes:
   postgres_data:

internal/http/auth/auth.go

@@ -28,6 +28,8 @@ type AuthService interface {
 	Register(ctx context.Context, user models.User) (models.User, error)
 	CreateSession(ctx context.Context, ID int) (models.Session, error)
 	DeleteSession(ctx context.Context, token string)
+	CreateCSRF(ctx context.Context, encryptionKey []byte, s *models.Session) (string, error)
+	CheckCSRF(ctx context.Context, encryptionKey []byte, s *models.Session, inputToken string) (bool, error)
 }
 
 type RegisterRequest struct {
@@ -291,3 +293,10 @@ func userToProfileResponse(user models.User) ProfileResponse {
 func (h *AuthHandler) CheckSessionMiddleware(ctx context.Context, cookie string) (models.Session, bool) {
 	return h.service.CheckSession(ctx, cookie)
 }
+func (h *AuthHandler) CheckCSRFMiddleware(ctx context.Context, encryptionKey []byte, s *models.Session, inputToken string) (bool, error) {
+	return h.service.CheckCSRF(ctx, encryptionKey, s, inputToken)
+}
+
+func (h *AuthHandler) CreateCSRFMiddleware(ctx context.Context, encryptionKey []byte, s *models.Session) (string, error) {
+	return h.service.CreateCSRF(ctx, encryptionKey, s)
+}

internal/http/utils/utils.go

@@ -22,6 +22,10 @@ type sessionKeyType struct{}
 
 var sessionKey sessionKeyType
 
+type csrfKeyType struct{}
+
+var csrfKey sessionKeyType
+
 type requestIDKeyType struct{}
 
 var requestIDKey requestIDKeyType
@@ -43,6 +47,18 @@ func SetSessionInContext(ctx context.Context, session models.Session) context.Co
 	return context.WithValue(ctx, sessionKey, session)
 }
 
+func GetCSRFFromContext(ctx context.Context) (models.TokenData, bool) {
+	csrfKey, ok := ctx.Value(csrfKey).(models.TokenData)
+	if !ok {
+		return csrfKey, false
+	}
+	return csrfKey, true
+}
+
+func SetCSRFInContext(ctx context.Context, token models.TokenData) context.Context {
+	return context.WithValue(ctx, csrfKey, token)
+}
+
 func GetRequestIDFromContext(ctx context.Context) string {
 	ID, _ := ctx.Value(requestIDKey).(string)
 	return ID

internal/middleware/auth.go

@@ -1,39 +1,81 @@
 package middleware
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 
 	"kudago/internal/http/auth"
 	"kudago/internal/http/utils"
+	"kudago/internal/models"
 )
 
 const (
 	SessionToken = "session_token"
-	SessionKey   = "session"
 )
 
-func AuthMiddleware(whitelist []string, authHandler *auth.AuthHandler, next http.Handler) http.Handler {
+func AuthWithCSRFMiddleware(whitelist []string, authHandler *auth.AuthHandler, encryptionKey []byte, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Проверяем сессионный токен
 		cookie, err := r.Cookie(SessionToken)
 		if err == nil {
 			session, authenticated := authHandler.CheckSessionMiddleware(r.Context(), cookie.Value)
 			if authenticated {
 				ctx := utils.SetSessionInContext(r.Context(), session)
 				r = r.WithContext(ctx)
+
+				w.Header().Set("X-Test-Header", "test-value")
+				if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions {
+					csrfToken := r.Header.Get("X-CSRF-Token")
+					fmt.Println("CSRF Token got from header:", csrfToken)
+					if csrfToken == "" {
+						utils.WriteResponse(w, http.StatusForbidden, map[string]string{"error": "CSRF token missing"})
+						return
+					}
+
+					valid, err := authHandler.CheckCSRFMiddleware(r.Context(), encryptionKey, &session, csrfToken)
+					if err != nil || !valid {
+						utils.WriteResponse(w, http.StatusForbidden, map[string]string{"error": "Invalid CSRF token"})
+						return
+					}
+				} else if r.Method == http.MethodGet {
+					session, ok := utils.GetSessionFromContext(r.Context())
+					if ok {
+						csrfToken, err := authHandler.CreateCSRFMiddleware(r.Context(), encryptionKey, &session)
+						if err != nil {
+							utils.WriteResponse(w, http.StatusInternalServerError, map[string]string{"error": "Failed to generate CSRF token"})
+							return
+						}
+						fmt.Println("Generated CSRF Token:", csrfToken)
+
+						w.Header().Set("X-CSRF-Token", csrfToken)
+						fmt.Println("Setting X-CSRF-Token in header:", w.Header().Get("X-CSRF-Token"))
+
+						// Далее проверьте, что токен установлен
+						for k, v := range w.Header() {
+							fmt.Printf("Header after setting CSRF: %s: %s\n", k, v)
+						}
+
+						ctx := utils.SetCSRFInContext(r.Context(), models.TokenData{CSRFtoken: csrfToken})
+						r = r.WithContext(ctx)
+					}
+				}
+
+				// Переходим к следующему обработчику
 				next.ServeHTTP(w, r)
 				return
 			}
 		}
 
+		// Если маршрут в white list, пропускаем проверку
 		for _, path := range whitelist {
 			if strings.HasPrefix(r.URL.Path, path) {
 				next.ServeHTTP(w, r)
 				return
 			}
 		}
 
+		// Отправляем ошибку, если запрос не авторизован
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
-		return
 	})
 }

internal/models/csrf_token.go

@@ -0,0 +1,10 @@
+package models
+
+import "time"
+
+type TokenData struct {
+	CSRFtoken    string
+	SessionToken string
+	UserID       int
+	Exp          time.Time
+}

internal/repository/csrf/csrf.go

@@ -0,0 +1,117 @@
+package csrf
+
+import (
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/redis/go-redis/v9"
+	"kudago/internal/models"
+)
+
+const CSRFTokenExpTime = 15 * time.Minute
+
+type csrfDB struct {
+	client *redis.Client
+}
+
+func NewDB(client *redis.Client) *csrfDB {
+	return &csrfDB{client: client}
+}
+
+func (db *csrfDB) CreateCSRF(ctx context.Context, encryptionKey []byte, s *models.Session) (string, error) {
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return "", err
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonce := make([]byte, aesgcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return "", err
+	}
+
+	tokenExpTime := time.Now().Add(CSRFTokenExpTime)
+	td := models.TokenData{
+		SessionToken: s.Token,
+		UserID:       s.UserID,
+		Exp:          tokenExpTime,
+	}
+	data, _ := json.Marshal(td)
+	ciphertext := aesgcm.Seal(nil, nonce, data, nil)
+
+	res := append(nonce, ciphertext...)
+	token := base64.StdEncoding.EncodeToString(res)
+
+	err = db.client.Set(ctx, PrefixedKey(s.Token), token, CSRFTokenExpTime).Err()
+	if err != nil {
+		return "", fmt.Errorf("failed to store token in Redis: %v", err)
+	}
+
+	return token, nil
+}
+
+func (db *csrfDB) CheckCSRF(ctx context.Context, encryptionKey []byte, s *models.Session, inputToken string) (bool, error) {
+	storedToken, err := db.client.Get(ctx, PrefixedKey(s.Token)).Result()
+	if err == redis.Nil {
+		return false, fmt.Errorf("token not found in Redis")
+	} else if err != nil {
+		return false, fmt.Errorf("failed to get token from Redis: %v", err)
+	}
+
+	if storedToken != inputToken {
+		return false, fmt.Errorf("invalid token")
+	}
+
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return false, err
+	}
+
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return false, err
+	}
+
+	ciphertext, err := base64.StdEncoding.DecodeString(inputToken)
+	if err != nil {
+		return false, err
+	}
+
+	nonceSize := aesgcm.NonceSize()
+	if len(ciphertext) < nonceSize {
+		return false, fmt.Errorf("short ciphertext")
+	}
+
+	nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
+	plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return false, fmt.Errorf("decrypt fail: %v", err)
+	}
+
+	td := &models.TokenData{}
+	err = json.Unmarshal(plaintext, &td)
+	if err != nil {
+		return false, fmt.Errorf("bad json: %v", err)
+	}
+
+	if td.Exp.Unix() < time.Now().Unix() {
+		return false, fmt.Errorf("token expired")
+	}
+
+	return s.Token == td.SessionToken && s.UserID == td.UserID, nil
+}
+
+func PrefixedKey(key string) string {
+	return fmt.Sprintf("%s:%s", key, "csrf")
+}

internal/service/auth/auth.go

@@ -9,6 +9,7 @@ import (
 type authService struct {
 	UserDB    UserDB
 	SessionDB SessionDB
+	CsrfDB    CsrfDB
 }
 
 type UserDB interface {
@@ -24,8 +25,13 @@ type SessionDB interface {
 	DeleteSession(ctx context.Context, token string)
 }
 
-func NewService(userDB UserDB, sessionDB SessionDB) authService {
-	return authService{UserDB: userDB, SessionDB: sessionDB}
+type CsrfDB interface {
+	CreateCSRF(ctx context.Context, encryptionKey []byte, s *models.Session) (string, error)
+	CheckCSRF(ctx context.Context, encryptionKey []byte, s *models.Session, inputToken string) (bool, error)
+}
+
+func NewService(userDB UserDB, sessionDB SessionDB, csrfDB CsrfDB) authService {
+	return authService{UserDB: userDB, SessionDB: sessionDB, CsrfDB: csrfDB}
 }
 
 func (a *authService) CheckSession(ctx context.Context, cookie string) (models.Session, bool) {
@@ -62,3 +68,10 @@ func (a *authService) CreateSession(ctx context.Context, ID int) (models.Session
 func (a *authService) DeleteSession(ctx context.Context, token string) {
 	a.SessionDB.DeleteSession(ctx, token)
 }
+func (a *authService) CreateCSRF(ctx context.Context, encryptionKey []byte, s *models.Session) (string, error) {
+	return a.CsrfDB.CreateCSRF(ctx, encryptionKey, s)
+}
+
+func (a *authService) CheckCSRF(ctx context.Context, encryptionKey []byte, s *models.Session, inputToken string) (bool, error) {
+	return a.CsrfDB.CheckCSRF(ctx, encryptionKey, s, inputToken)
+}