b1dc8fcc4e
Add gorilla/csrf middleware to protect all HTML-serving routes against
cross-site request forgery attacks. The webhook endpoint is excluded
since it uses secret-based authentication.
Changes:
- Add gorilla/csrf v1.7.3 dependency
- Add CSRF() middleware method using session secret as key
- Apply CSRF middleware to all HTML route groups in routes.go
- Pass CSRF token to all templates via addGlobals helper
- Add {{ .CSRFField }} / {{ $.CSRFField }} hidden inputs to all forms
Closes #11
100 lines
2.4 KiB
Go
100 lines
2.4 KiB
Go
// Package handlers provides HTTP request handlers.
|
|
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"html/template"
|
|
"log/slog"
|
|
"net/http"
|
|
|
|
"github.com/gorilla/csrf"
|
|
"go.uber.org/fx"
|
|
|
|
"git.eeqj.de/sneak/upaas/internal/database"
|
|
"git.eeqj.de/sneak/upaas/internal/docker"
|
|
"git.eeqj.de/sneak/upaas/internal/globals"
|
|
"git.eeqj.de/sneak/upaas/internal/healthcheck"
|
|
"git.eeqj.de/sneak/upaas/internal/logger"
|
|
"git.eeqj.de/sneak/upaas/internal/service/app"
|
|
"git.eeqj.de/sneak/upaas/internal/service/auth"
|
|
"git.eeqj.de/sneak/upaas/internal/service/deploy"
|
|
"git.eeqj.de/sneak/upaas/internal/service/webhook"
|
|
)
|
|
|
|
// Params contains dependencies for Handlers.
|
|
type Params struct {
|
|
fx.In
|
|
|
|
Logger *logger.Logger
|
|
Globals *globals.Globals
|
|
Database *database.Database
|
|
Healthcheck *healthcheck.Healthcheck
|
|
Auth *auth.Service
|
|
App *app.Service
|
|
Deploy *deploy.Service
|
|
Webhook *webhook.Service
|
|
Docker *docker.Client
|
|
}
|
|
|
|
// Handlers provides HTTP request handlers.
|
|
type Handlers struct {
|
|
log *slog.Logger
|
|
params *Params
|
|
db *database.Database
|
|
hc *healthcheck.Healthcheck
|
|
auth *auth.Service
|
|
appService *app.Service
|
|
deploy *deploy.Service
|
|
webhook *webhook.Service
|
|
docker *docker.Client
|
|
globals *globals.Globals
|
|
}
|
|
|
|
// New creates a new Handlers instance.
|
|
func New(_ fx.Lifecycle, params Params) (*Handlers, error) {
|
|
return &Handlers{
|
|
log: params.Logger.Get(),
|
|
params: ¶ms,
|
|
db: params.Database,
|
|
hc: params.Healthcheck,
|
|
auth: params.Auth,
|
|
appService: params.App,
|
|
deploy: params.Deploy,
|
|
webhook: params.Webhook,
|
|
docker: params.Docker,
|
|
globals: params.Globals,
|
|
}, nil
|
|
}
|
|
|
|
// addGlobals adds version info and CSRF token to template data map.
|
|
func (h *Handlers) addGlobals(
|
|
data map[string]any,
|
|
request *http.Request,
|
|
) map[string]any {
|
|
data["Version"] = h.globals.Version
|
|
data["Appname"] = h.globals.Appname
|
|
|
|
if request != nil {
|
|
data["CSRFField"] = template.HTML(csrf.TemplateField(request)) //nolint:gosec // csrf.TemplateField produces safe HTML
|
|
}
|
|
|
|
return data
|
|
}
|
|
|
|
func (h *Handlers) respondJSON(
|
|
writer http.ResponseWriter,
|
|
_ *http.Request,
|
|
data any,
|
|
status int,
|
|
) {
|
|
writer.Header().Set("Content-Type", "application/json")
|
|
writer.WriteHeader(status)
|
|
|
|
if data != nil {
|
|
err := json.NewEncoder(writer).Encode(data)
|
|
if err != nil {
|
|
h.log.Error("json encode error", "error", err)
|
|
}
|
|
}
|
|
}
|