add csrf

internal/server/server.go

@@ -26,6 +26,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	ginlogrus "github.com/toorop/gin-logrus"
+	csrf "github.com/utrack/gin-csrf"
 	"gorm.io/gorm"
 )
 
@@ -111,6 +112,14 @@ func (s *Server) Setup(ctx context.Context) error {
 		s.server.Use(ginlogrus.Logger(logrus.StandardLogger()))
 	}
 	s.server.Use(gin.Recovery())
+	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte(s.config.Core.SessionSecret))))
+	s.server.Use(csrf.Middleware(csrf.Options{
+		Secret: s.config.Core.SessionSecret,
+		ErrorFunc: func(c *gin.Context) {
+			c.String(400, "CSRF token mismatch")
+			c.Abort()
+		},
+	}))
 	s.server.SetFuncMap(template.FuncMap{
 		"formatBytes": common.ByteCountSI,
 		"urlEncode":   url.QueryEscape,
@@ -128,7 +137,6 @@ func (s *Server) Setup(ctx context.Context) error {
 	// Setup templates
 	templates := template.Must(template.New("").Funcs(s.server.FuncMap).ParseFS(wgportal.Templates, "assets/tpl/*.html"))
 	s.server.SetHTMLTemplate(templates)
-	s.server.Use(sessions.Sessions("authsession", memstore.NewStore([]byte("secret")))) // TODO: change key?
 
 	// Serve static files
 	s.server.StaticFS("/css", http.FS(fsMust(fs.Sub(wgportal.Statics, "assets/css"))))