From 8dbdc9500fab66df580d046ce1cdb95e53e023f5 Mon Sep 17 00:00:00 2001 From: Paul Date: Thu, 22 Aug 2019 00:49:23 +0200 Subject: [PATCH] Make CSRF customizable --- internal/web/handlers.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/internal/web/handlers.go b/internal/web/handlers.go index 2130023..4bec902 100644 --- a/internal/web/handlers.go +++ b/internal/web/handlers.go @@ -8,9 +8,14 @@ import ( "github.com/gorilla/csrf" ) +type Config struct { + CSRFSecret string `env:"CSRF_TOKEN"` +} + type Handlers struct { *app.App session *scs.Session + Config *Config } func NewHandlers(app *app.App) *Handlers { @@ -34,8 +39,12 @@ func (h *Handlers) commonRenderContext(r *http.Request) map[string]interface{} { } func (h *Handlers) CSRF() func(http.Handler) http.Handler { + if h.Config.CSRFSecret == "" { + // TODO FIXME: generate random + h.Config.CSRFSecret = "12345678901234567890123456789012" + } return csrf.Protect( - []byte("12345678901234567890123456789012"), + []byte(h.Config.CSRFSecret), csrf.FieldName("authenticity_token"), csrf.Secure(h.session.Cookie.Secure), )