Fix panic on CSRF middleware failure

pkg/router/router.go

@@ -86,9 +86,9 @@ func New() http.Handler {
 	mux.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir(config.StaticPath))))
 
 	// Global middlewares.
-	withSession := middleware.Session(mux)
-	withCSRF := middleware.CSRF(withSession)
-	withRecovery := middleware.Recovery(withCSRF)
+	withCSRF := middleware.CSRF(mux)
+	withSession := middleware.Session(withCSRF)
+	withRecovery := middleware.Recovery(withSession)
 	withLogger := middleware.Logging(withRecovery)
 	return withLogger
 }

pkg/session/session.go

@@ -195,6 +195,10 @@ func ImpersonateUser(w http.ResponseWriter, r *http.Request, u *models.User, imp
 // Impersonated returns if the current session has an impersonator.
 func Impersonated(r *http.Request) bool {
 	sess := Get(r)
+	if sess == nil {
+		return false
+	}
+
 	return sess.Impersonator > 0
 }