CSRF protection should only cover /rest
This commit is contained in:
parent
31350b4352
commit
b7ea695caf
|
@ -126,8 +126,9 @@ func startGUI(cfg config.GUIConfiguration, assetDir string, m *model.Model) erro
|
||||||
mux.HandleFunc("/", embeddedStatic)
|
mux.HandleFunc("/", embeddedStatic)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wrap everything in CSRF protection
|
// Wrap everything in CSRF protection. The /rest prefix should be
|
||||||
handler := csrfMiddleware(mux)
|
// protected, other requests will grant cookies.
|
||||||
|
handler := csrfMiddleware("/rest", mux)
|
||||||
|
|
||||||
// Wrap everything in basic auth, if user/password is set.
|
// Wrap everything in basic auth, if user/password is set.
|
||||||
if len(cfg.User) > 0 {
|
if len(cfg.User) > 0 {
|
||||||
|
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -20,7 +21,7 @@ var csrfMut sync.Mutex
|
||||||
// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
|
// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
|
||||||
// the request with 403. For / and /index.html, set a new CSRF cookie if none
|
// the request with 403. For / and /index.html, set a new CSRF cookie if none
|
||||||
// is currently set.
|
// is currently set.
|
||||||
func csrfMiddleware(next http.Handler) http.Handler {
|
func csrfMiddleware(prefix string, next http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
// Allow requests carrying a valid API key
|
// Allow requests carrying a valid API key
|
||||||
if validAPIKey(r.Header.Get("X-API-Key")) {
|
if validAPIKey(r.Header.Get("X-API-Key")) {
|
||||||
|
@ -29,7 +30,7 @@ func csrfMiddleware(next http.Handler) http.Handler {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
|
// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
|
||||||
if r.URL.Path == "/" || r.URL.Path == "/index.html" {
|
if !strings.HasPrefix(r.URL.Path, prefix) {
|
||||||
cookie, err := r.Cookie("CSRF-Token")
|
cookie, err := r.Cookie("CSRF-Token")
|
||||||
if err != nil || !validCsrfToken(cookie.Value) {
|
if err != nil || !validCsrfToken(cookie.Value) {
|
||||||
cookie = &http.Cookie{
|
cookie = &http.Cookie{
|
||||||
|
|
Loading…
Reference in New Issue