From 8dbdc9500fab66df580d046ce1cdb95e53e023f5 Mon Sep 17 00:00:00 2001
From: Paul <paul@zom.bi>
Date: Thu, 22 Aug 2019 00:49:23 +0200
Subject: [PATCH] Make CSRF customizable

---
 internal/web/handlers.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/internal/web/handlers.go b/internal/web/handlers.go
index 2130023..4bec902 100644
--- a/internal/web/handlers.go
+++ b/internal/web/handlers.go
@@ -8,9 +8,14 @@ import (
 	"github.com/gorilla/csrf"
 )
 
+type Config struct {
+	CSRFSecret string `env:"CSRF_TOKEN"`
+}
+
 type Handlers struct {
 	*app.App
 	session *scs.Session
+	Config  *Config
 }
 
 func NewHandlers(app *app.App) *Handlers {
@@ -34,8 +39,12 @@ func (h *Handlers) commonRenderContext(r *http.Request) map[string]interface{} {
 }
 
 func (h *Handlers) CSRF() func(http.Handler) http.Handler {
+	if h.Config.CSRFSecret == "" {
+		// TODO FIXME: generate random
+		h.Config.CSRFSecret = "12345678901234567890123456789012"
+	}
 	return csrf.Protect(
-		[]byte("12345678901234567890123456789012"),
+		[]byte(h.Config.CSRFSecret),
 		csrf.FieldName("authenticity_token"),
 		csrf.Secure(h.session.Cookie.Secure),
 	)