fix: detect TLS per-request in CSRF middleware to fix login (#54)
All checks were successful
check / check (push) Successful in 1m55s
All checks were successful
check / check (push) Successful in 1m55s
## Problem After the security hardening in PR #42, login fails with `Forbidden - invalid CSRF token` in production deployments. The CSRF middleware tied its `PlaintextHTTPRequest` wrapping and cookie `Secure` flag to the `IsDev()` environment check. This meant production mode always assumed HTTPS via gorilla/csrf's strict mode, which broke login in common deployment scenarios: 1. **Production behind a TLS-terminating reverse proxy**: gorilla/csrf assumed HTTPS but `r.TLS` was nil (the Go server receives HTTP from the proxy). Origin/Referer scheme mismatches caused `referer not supplied` or `origin invalid` errors. 2. **Production over direct HTTP** (testing/staging with prod config): the `Secure` cookie flag prevented the browser from sending the CSRF cookie back over HTTP, causing `CSRF token invalid` errors. ## Root Cause gorilla/csrf v1.7.3 defaults to HTTPS-strict mode unless `PlaintextHTTPRequest()` is called. In strict mode it: - Forces `requestURL.Scheme = "https"` for Origin/Referer comparisons - Requires a `Referer` header on POST and rejects `http://` Referer schemes - The `csrf.Secure(true)` option makes the browser refuse to send the CSRF cookie over HTTP The old code only called `PlaintextHTTPRequest()` in dev mode, leaving prod mode permanently stuck in HTTPS-strict mode regardless of the actual transport. ## Fix Detect the actual transport protocol **per-request** using: - `r.TLS != nil` — direct TLS connection to the Go server - `X-Forwarded-Proto: https` header — TLS-terminating reverse proxy Two gorilla/csrf middleware instances are maintained (one with `Secure: true`, one with `Secure: false`) since `csrf.Secure()` is a creation-time option. Both use the same signing key, so cookies are interchangeable. | Scenario | Cookie Secure | Origin/Referer Mode | |---|---|---| | Direct TLS (`r.TLS != nil`) | ✅ Secure | Strict (HTTPS scheme) | | Behind TLS proxy (`X-Forwarded-Proto: https`) | ✅ Secure | Strict (HTTPS scheme) | | Plaintext HTTP | ❌ Non-Secure | Relaxed (PlaintextHTTPRequest) | CSRF token validation (cookie + form double-submit) is always enforced regardless of mode. ## Testing - Added `TestCSRF_ProdMode_PlaintextHTTP_POSTWithValidToken` — prod mode over plaintext HTTP - Added `TestCSRF_ProdMode_BehindProxy_POSTWithValidToken` — prod mode behind TLS proxy - Added `TestCSRF_ProdMode_DirectTLS_POSTWithValidToken` — prod mode with direct TLS - Added `TestCSRF_ProdMode_PlaintextHTTP_POSTWithoutToken` — token still required - Added `TestIsClientTLS_*` — TLS detection unit tests - All existing CSRF tests pass unchanged - `docker build .` passes (includes `make check`) - Manual verification: built and ran the container in both `dev` and `prod` modes, confirmed login succeeds in both Closes #53 Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #54 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
This commit was merged in pull request #54.
This commit is contained in:
@@ -12,6 +12,13 @@ func CSRFToken(r *http.Request) string {
|
||||
return csrf.Token(r)
|
||||
}
|
||||
|
||||
// isClientTLS reports whether the client-facing connection uses TLS.
|
||||
// It checks for a direct TLS connection (r.TLS) or a TLS-terminating
|
||||
// reverse proxy that sets the standard X-Forwarded-Proto header.
|
||||
func isClientTLS(r *http.Request) bool {
|
||||
return r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
|
||||
}
|
||||
|
||||
// CSRF returns middleware that provides CSRF protection using the
|
||||
// gorilla/csrf library. The middleware uses the session authentication
|
||||
// key to sign a CSRF cookie and validates a masked token submitted via
|
||||
@@ -19,38 +26,59 @@ func CSRFToken(r *http.Request) string {
|
||||
// POST/PUT/PATCH/DELETE requests. Requests with an invalid or missing
|
||||
// token receive a 403 Forbidden response.
|
||||
//
|
||||
// In development mode, requests are marked as plaintext HTTP so that
|
||||
// gorilla/csrf skips the strict Referer-origin check (which is only
|
||||
// meaningful over TLS).
|
||||
// The middleware detects the client-facing transport protocol per-request
|
||||
// using r.TLS and the X-Forwarded-Proto header. This allows correct
|
||||
// behavior in all deployment scenarios:
|
||||
//
|
||||
// - Direct HTTPS: strict Referer/Origin checks, Secure cookies.
|
||||
// - Behind a TLS-terminating reverse proxy: strict checks (the
|
||||
// browser is on HTTPS, so Origin/Referer headers use https://),
|
||||
// Secure cookies (the browser sees HTTPS from the proxy).
|
||||
// - Direct HTTP: relaxed Referer/Origin checks via PlaintextHTTPRequest,
|
||||
// non-Secure cookies so the browser sends them over HTTP.
|
||||
//
|
||||
// Two gorilla/csrf instances are maintained — one with Secure cookies
|
||||
// (for TLS) and one without (for plaintext HTTP) — because the
|
||||
// csrf.Secure option is set at creation time, not per-request.
|
||||
func (m *Middleware) CSRF() func(http.Handler) http.Handler {
|
||||
protect := csrf.Protect(
|
||||
m.session.GetKey(),
|
||||
csrfErrorHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
m.log.Warn("csrf: token validation failed",
|
||||
"method", r.Method,
|
||||
"path", r.URL.Path,
|
||||
"remote_addr", r.RemoteAddr,
|
||||
"reason", csrf.FailureReason(r),
|
||||
)
|
||||
http.Error(w, "Forbidden - invalid CSRF token", http.StatusForbidden)
|
||||
})
|
||||
|
||||
key := m.session.GetKey()
|
||||
baseOpts := []csrf.Option{
|
||||
csrf.FieldName("csrf_token"),
|
||||
csrf.Secure(!m.params.Config.IsDev()),
|
||||
csrf.SameSite(csrf.SameSiteLaxMode),
|
||||
csrf.Path("/"),
|
||||
csrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
m.log.Warn("csrf: token validation failed",
|
||||
"method", r.Method,
|
||||
"path", r.URL.Path,
|
||||
"remote_addr", r.RemoteAddr,
|
||||
"reason", csrf.FailureReason(r),
|
||||
)
|
||||
http.Error(w, "Forbidden - invalid CSRF token", http.StatusForbidden)
|
||||
})),
|
||||
)
|
||||
|
||||
// In development (plaintext HTTP), signal gorilla/csrf to skip
|
||||
// the strict TLS Referer check by injecting the PlaintextHTTP
|
||||
// context key before the CSRF handler sees the request.
|
||||
if m.params.Config.IsDev() {
|
||||
return func(next http.Handler) http.Handler {
|
||||
csrfHandler := protect(next)
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
csrfHandler.ServeHTTP(w, csrf.PlaintextHTTPRequest(r))
|
||||
})
|
||||
}
|
||||
csrf.ErrorHandler(csrfErrorHandler),
|
||||
}
|
||||
|
||||
return protect
|
||||
// Two middleware instances with different Secure flags but the
|
||||
// same signing key, so cookies are interchangeable between them.
|
||||
tlsProtect := csrf.Protect(key, append(baseOpts, csrf.Secure(true))...)
|
||||
httpProtect := csrf.Protect(key, append(baseOpts, csrf.Secure(false))...)
|
||||
|
||||
return func(next http.Handler) http.Handler {
|
||||
tlsCSRF := tlsProtect(next)
|
||||
httpCSRF := httpProtect(next)
|
||||
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if isClientTLS(r) {
|
||||
// Client is on TLS (directly or via reverse proxy).
|
||||
// Use Secure cookies and strict Origin/Referer checks.
|
||||
tlsCSRF.ServeHTTP(w, r)
|
||||
} else {
|
||||
// Plaintext HTTP: use non-Secure cookies and tell
|
||||
// gorilla/csrf to use "http" for scheme comparisons,
|
||||
// skipping the strict Referer check that assumes TLS.
|
||||
httpCSRF.ServeHTTP(w, csrf.PlaintextHTTPRequest(r))
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user