add csrf

internal/server/configuration.go

@@ -65,6 +65,7 @@ type Config struct {
 		EditableKeys      bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
 		CreateDefaultPeer bool   `yaml:"createDefaultPeer" envconfig:"CREATE_DEFAULT_PEER"`
 		LdapEnabled       bool   `yaml:"ldapEnabled" envconfig:"LDAP_ENABLED"`
+		SessionSecret     string `yaml:"sessionSecret" envconfig:"SESSION_SECRET"`
 	} `yaml:"core"`
 	Database common.DatabaseConfig `yaml:"database"`
 	Email    common.MailConfig     `yaml:"email"`
@@ -84,6 +85,7 @@ func NewConfig() *Config {
 	cfg.Core.AdminUser = "admin@wgportal.local"
 	cfg.Core.AdminPassword = "wgportal"
 	cfg.Core.LdapEnabled = false
+	cfg.Core.SessionSecret = "secret"
 
 	cfg.Database.Typ = "sqlite"
 	cfg.Database.Database = "data/wg_portal.db"

internal/server/handlers_auth.go

@@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"
 
+	csrf "github.com/utrack/gin-csrf"
+
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/authentication"
 	"github.com/h44z/wg-portal/internal/users"
@@ -31,6 +33,7 @@ func (s *Server) GetLogin(c *gin.Context) {
 		"error":   authError != "",
 		"message": errMsg,
 		"static":  s.getStaticData(),
+		"Csrf":    csrf.GetToken(c),
 	})
 }
 

internal/server/handlers_common.go

@@ -4,13 +4,10 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/h44z/wg-portal/internal/users"
-
-	"github.com/h44z/wg-portal/internal/common"
-
-	"github.com/pkg/errors"
-
 	"github.com/gin-gonic/gin"
+	"github.com/h44z/wg-portal/internal/common"
+	"github.com/h44z/wg-portal/internal/users"
+	"github.com/pkg/errors"
 )
 
 func (s *Server) GetHandleError(c *gin.Context, code int, message, details string) {

internal/server/handlers_interface.go

@@ -4,10 +4,10 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/h44z/wg-portal/internal/wireguard"
-
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/common"
+	"github.com/h44z/wg-portal/internal/wireguard"
+	csrf "github.com/utrack/gin-csrf"
 )
 
 func (s *Server) GetAdminEditInterface(c *gin.Context) {
@@ -27,6 +27,7 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
 		"Device":       currentSession.FormData.(wireguard.Device),
 		"EditableKeys": s.config.Core.EditableKeys,
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }
 

internal/server/handlers_peer.go

@@ -14,6 +14,7 @@ import (
 	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/sirupsen/logrus"
 	"github.com/tatsushid/go-fastping"
+	csrf "github.com/utrack/gin-csrf"
 )
 
 type LdapCreateForm struct {
@@ -39,6 +40,7 @@ func (s *Server) GetAdminEditPeer(c *gin.Context) {
 		"EditableKeys": s.config.Core.EditableKeys,
 		"Device":       s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }
 
@@ -99,6 +101,7 @@ func (s *Server) GetAdminCreatePeer(c *gin.Context) {
 		"EditableKeys": s.config.Core.EditableKeys,
 		"Device":       s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames":  s.wg.Cfg.DeviceNames,
+		"Csrf":         csrf.GetToken(c),
 	})
 }
 
@@ -154,6 +157,7 @@ func (s *Server) GetAdminCreateLdapPeers(c *gin.Context) {
 		"FormData":    currentSession.FormData.(LdapCreateForm),
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
+		"Csrf":        csrf.GetToken(c),
 	})
 }
 

internal/server/handlers_user.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/users"
+	csrf "github.com/utrack/gin-csrf"
 	"golang.org/x/crypto/bcrypt"
 	"gorm.io/gorm"
 )
@@ -79,6 +80,7 @@ func (s *Server) GetAdminUsersEdit(c *gin.Context) {
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
 		"Epoch":       time.Time{},
+		"Csrf":        csrf.GetToken(c),
 	})
 }
 
@@ -156,6 +158,7 @@ func (s *Server) GetAdminUsersCreate(c *gin.Context) {
 		"Device":      s.peers.GetDevice(currentSession.DeviceName),
 		"DeviceNames": s.wg.Cfg.DeviceNames,
 		"Epoch":       time.Time{},
+		"Csrf":        csrf.GetToken(c),
 	})
 }
 

internal/server/server.go

@@ -26,6 +26,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	ginlogrus "github.com/toorop/gin-logrus"
+	csrf "github.com/utrack/gin-csrf"
 	"gorm.io/gorm"
 )
 
@@ -111,6 +112,14 @@ func (s *Server) Setup(ctx context.Context) error {
 		s.server.Use(ginlogrus.Logger(logrus.StandardLogger()))
 	}
 	s.server.Use(gin.Recovery())
+	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte(s.config.Core.SessionSecret))))
+	s.server.Use(csrf.Middleware(csrf.Options{
+		Secret: s.config.Core.SessionSecret,
+		ErrorFunc: func(c *gin.Context) {
+			c.String(400, "CSRF token mismatch")
+			c.Abort()
+		},
+	}))
 	s.server.SetFuncMap(template.FuncMap{
 		"formatBytes": common.ByteCountSI,
 		"urlEncode":   url.QueryEscape,
@@ -128,7 +137,6 @@ func (s *Server) Setup(ctx context.Context) error {
 	// Setup templates
 	templates := template.Must(template.New("").Funcs(s.server.FuncMap).ParseFS(wgportal.Templates, "assets/tpl/*.html"))
 	s.server.SetHTMLTemplate(templates)
-	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte("secret")))) // TODO: change key?
 
 	// Serve static files
 	s.server.StaticFS("/css", http.FS(fsMust(fs.Sub(wgportal.Statics, "assets/css"))))

internal/server/server_helper.go

@@ -8,10 +8,9 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/h44z/wg-portal/internal/wireguard"
-
 	"github.com/h44z/wg-portal/internal/common"
 	"github.com/h44z/wg-portal/internal/users"
+	"github.com/h44z/wg-portal/internal/wireguard"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"