fix: CSRF sending masked token

3 months ago · 6dee48b92a
3 changed files with 39 additions and 5 deletions
--- a/apps/web/main.go
+++ b/apps/web/main.go
@ -119,6 +119,7 @@ func main() {
 			protected.Use(middleware.CSRFSimple)
 		} else {
 			protected.Use(csrfMw)
+			protected.Use(middleware.CSRFExposeToken)
 		}
 	}

--- a/internal/middleware/csrf_expose.go
+++ b/internal/middleware/csrf_expose.go
@ -0,0 +1,30 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gorilla/csrf"
+)
+
+// CSRFExposeToken sets a readable cookie with the per-request masked CSRF token on safe methods.
+func CSRFExposeToken(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodGet, http.MethodHead, http.MethodOptions:
+			token := csrf.Token(r)
+			if token != "" {
+				secure := r.TLS != nil || strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https")
+				http.SetCookie(w, &http.Cookie{
+					Name:     "XSRF-TOKEN-VALUE",
+					Value:    token,
+					Path:     "/",
+					HttpOnly: false,
+					Secure:   secure,
+					SameSite: http.SameSiteLaxMode,
+				})
+			}
+		}
+		next.ServeHTTP(w, r)
+	})
+}
--- a/templates/layout.html
+++ b/templates/layout.html
@ -7,13 +7,16 @@
  <title>ServiceTrade Tools</title>
  <script src="https://unpkg.com/htmx.org@1.9.6"></script>
  <script>
-    // Read XSRF-TOKEN cookie and send as X-CSRF-Token on all htmx requests
+    // Send CSRF token on all htmx requests: prefer masked token cookie (XSRF-TOKEN-VALUE), fallback to storage token (XSRF-TOKEN)
    document.addEventListener('DOMContentLoaded', function () {
+      function readCookie(name) {
+        var re = new RegExp('(?:^|; )' + name.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + '=([^;]+)');
+        var m = document.cookie.match(re);
+        return m ? decodeURIComponent(m[1]) : null;
+      }
      document.body.addEventListener('htmx:configRequest', function (evt) {
-        var m = document.cookie.match(/(?:^|; )XSRF-TOKEN=([^;]+)/);
-        if (m) {
-          try { evt.detail.headers['X-CSRF-Token'] = decodeURIComponent(m[1]); } catch (e) { }
-        }
+        var token = readCookie('XSRF-TOKEN-VALUE') || readCookie('XSRF-TOKEN');
+        if (token) { evt.detail.headers['X-CSRF-Token'] = token; }
      });
    });
  </script>