Make CSRF customizable

2019-08-22 00:49:23 +02:00 · 2019-08-22 00:49:23 +02:00 · 8dbdc9500f
parent ac5f74988f
commit 8dbdc9500f
1 changed files with 10 additions and 1 deletions
--- a/internal/web/handlers.go
+++ b/internal/web/handlers.go
@ -8,9 +8,14 @@ import (
 	"github.com/gorilla/csrf"
 )

+type Config struct {
+	CSRFSecret string `env:"CSRF_TOKEN"`
+}
+
 type Handlers struct {
 	*app.App
 	session *scs.Session
+	Config  *Config
 }

 func NewHandlers(app *app.App) *Handlers {
@ -34,8 +39,12 @@ func (h *Handlers) commonRenderContext(r *http.Request) map[string]interface{} {
 }

 func (h *Handlers) CSRF() func(http.Handler) http.Handler {
+	if h.Config.CSRFSecret == "" {
+		// TODO FIXME: generate random
+		h.Config.CSRFSecret = "12345678901234567890123456789012"
+	}
 	return csrf.Protect(
-		[]byte("12345678901234567890123456789012"),
+		[]byte(h.Config.CSRFSecret),
 		csrf.FieldName("authenticity_token"),
 		csrf.Secure(h.session.Cookie.Secure),
 	)