add csrf token to forms

Author: Christian Francia

cmd/web/helpers.go

@@ -6,6 +6,8 @@ import (
 	"net/http"
 	"runtime/debug"
 	"time"
+
+	"github.com/justinas/nosurf"
 )
 
 // The serverError helper writes an error message and stack trace to the errorLog
@@ -47,10 +49,11 @@ func (app *application) addDefaultData(td *templateData, r *http.Request) *templ
 	if td == nil {
 		td = &templateData{}
 	}
-	td.CurrentYear = time.Now().Year()
 
 	// Here we are adding the default value to our sessions
 	td.Flash = app.session.PopString(r, "flash")
+	td.CSRFToken = nosurf.Token(r)
+	td.CurrentYear = time.Now().Year()
 	td.IsAuthenticated = app.isAuthenticated(r)
 	return td
 }

cmd/web/middleware.go

@@ -3,6 +3,8 @@ package main
 import (
 	"fmt"
 	"net/http"
+
+	"github.com/justinas/nosurf"
 )
 
 func secureHeaders(next http.Handler) http.Handler {
@@ -48,3 +50,13 @@ func (app *application) requireAuthentication(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func noSurf(next http.Handler) http.Handler {
+	csrfHandler := nosurf.New(next)
+	csrfHandler.SetBaseCookie(http.Cookie{
+		HttpOnly: true,
+		Path:     "/",
+		Secure:   true,
+	})
+	return csrfHandler
+}

cmd/web/routes.go

@@ -9,7 +9,7 @@ import (
 
 func (app *application) routes() http.Handler {
 	standardMiddleware := alice.New(app.recoverPanic, app.logRequest, secureHeaders)
-	dynamicMiddleware := alice.New(app.session.Enable)
+	dynamicMiddleware := alice.New(app.session.Enable, noSurf)
 	mux := pat.New()
 	mux.Get("/", dynamicMiddleware.ThenFunc(app.home))
 	mux.Get("/snippet/create", dynamicMiddleware.Append(app.requireAuthentication).ThenFunc(app.createSnippetForm))

cmd/web/templates.go

@@ -10,6 +10,7 @@ import (
 )
 
 type templateData struct {
+	CSRFToken       string
 	CurrentYear     int
 	Form            *forms.Form
 	Flash           string

go.mod

@@ -7,6 +7,6 @@ require (
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/golangcollege/sessions v1.2.0
 	github.com/justinas/alice v1.2.0
-	github.com/justinas/nosurf v1.1.0 // indirect
+	github.com/justinas/nosurf v1.1.0
 	golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6
 )

ui/html/base.layout.tmpl

@@ -24,6 +24,7 @@
             <div>
                 {{if .IsAuthenticated}}
                     <form action='/user/logout' method='POST'>
+                        <input type='hidden' name='csrf_token' value='{{.CSRFToken}}'>
                         <button>Logout</button>
                     </form>
                 {{else}}

ui/html/create.page.tmpl

@@ -4,6 +4,7 @@
 
 {{define "main"}}
 <form action='/snippet/create' method='POST'>
+    <input type='hidden' name='csrf_token' value='{{.CSRFToken}}'>
     {{with .Form}}
     <div>
         <label>Title:</label>

ui/html/login.page.tmpl

@@ -4,6 +4,7 @@
 
 {{define "main"}}
 <form action='/user/login' method='POST' novalidate>
+    <input type='hidden' name='csrf_token' value='{{.CSRFToken}}'>
     {{with .Form}}
         {{with .Errors.Get "generic"}}
             <label class='error'>{{.}}

ui/html/signup.page.tmpl

@@ -4,6 +4,7 @@
 
 {{define "main"}}
 <form action='/user/signup' method='POST' novalidate>
+    <input type='hidden' name='csrf_token' value='{{.CSRFToken}}'>
     {{with .Form}}
         <div>
             <label>Name: </label>