Fix CSRF loading on static GET pages

2 years ago · 159638084e
parent 88ebaeda8f
commit 159638084e
7 changed files with 44 additions and 3 deletions
--- a/srv/src/http/api.go
+++ b/srv/src/http/api.go
@ -163,6 +163,9 @@ func (a *api) Shutdown(ctx context.Context) error {

 func (a *api) apiHandler() http.Handler {
 	mux := http.NewServeMux()
+
+	mux.Handle("/csrf", a.getCSRFTokenHandler())
+
 	mux.Handle("/pow/challenge", a.newPowChallengeHandler())
 	mux.Handle("/pow/check",
 		a.requirePowMiddleware(
--- a/srv/src/http/csrf.go
+++ b/srv/src/http/csrf.go
@ -57,3 +57,22 @@ func checkCSRFMiddleware(h http.Handler) http.Handler {
 		h.ServeHTTP(rw, r)
 	})
 }
+
+func (a *api) getCSRFTokenHandler() http.Handler {
+
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+
+		csrfTok, err := apiutil.GetCookie(r, csrfTokenCookieName, "")
+
+		if err != nil {
+			apiutil.InternalServerError(rw, r, err)
+			return
+		}
+
+		apiutil.JSONResult(rw, r, struct {
+			CSRFToken string
+		}{
+			CSRFToken: csrfTok,
+		})
+	})
+}
--- a/srv/src/http/tpl.go
+++ b/srv/src/http/tpl.go
@ -100,6 +100,7 @@ func (a *api) mustParseTpl(name string) *template.Template {

 func (a *api) mustParseBasedTpl(name string) *template.Template {
 	tpl := a.mustParseTpl(name)
+	tpl = template.Must(tpl.New("load-csrf.html").Parse(mustReadTplFile("load-csrf.html")))
 	tpl = template.Must(tpl.New("base.html").Parse(mustReadTplFile("base.html")))
 	return tpl
 }
@ -111,8 +112,8 @@ type tplData struct {

 func (t tplData) CSRFFormInput() template.HTML {
 	return template.HTML(fmt.Sprintf(
-		`<input type="hidden" name="%s" value="%s" />`,
-		csrfTokenFormName, t.CSRFToken,
+		`<input type="hidden" name="%s" class="csrfHiddenInput" />`,
+		csrfTokenFormName,
 	))
 }

--- a/srv/src/http/tpl/assets.html
+++ b/srv/src/http/tpl/assets.html
@ -46,6 +46,8 @@

 </table>

+{{ template "load-csrf.html" . }}
+
 {{ end }}

 {{ template "base.html" . }}
--- a/srv/src/http/tpl/edit-post.html
+++ b/srv/src/http/tpl/edit-post.html
@ -99,6 +99,8 @@

  </form>

+  {{ template "load-csrf.html" . }}
+
 {{ end }}

 {{ template "base.html" . }}
--- a/srv/src/http/tpl/load-csrf.html
+++ b/srv/src/http/tpl/load-csrf.html
@ -0,0 +1,13 @@
+<script async type="module" src="{{ StaticURL "api.js" }}"></script>
+
+<script type="text/javascript">
+  (async () => {
+    const api = await import("{{ StaticURL "api.js" }}");
+    const res = await api.call("/api/csrf");
+
+    const els = document.getElementsByClassName("csrfHiddenInput");
+    for (let i = 0; i < els.length; i++) {
+      els[i].value = res.CSRFToken;
+    }
+  })();
+</script>
--- a/srv/src/http/tpl/posts.html
+++ b/srv/src/http/tpl/posts.html
@ -20,7 +20,6 @@

  {{ $csrfFormInput := .CSRFFormInput }}

-
  <p style="text-align: center;">
    <a href="{{ BlogURL "posts/" }}?edit">
      <button>New Post</button>
@ -56,6 +55,8 @@

  {{ template "posts-nextprev" . }}

+  {{ template "load-csrf.html" . }}
+
 {{ end }}

 {{ template "base.html" . }}