website/pkg/middleware/csrf.go
Noah 93c13882aa Finish Forums + Likes & Notifications
Finish implementing the basic forum features:
* Pinned threads (admin or board owner only)
* Edit Thread settings when you edit the top-most comment.
* NoReply threads remove all the reply buttons.
* Explicit forums and threads are filtered out unless opted-in (admins
  always see them).
* Count the unique members who participated in each forum.
* Get the most recently updated thread to show on forum list page.
* Contact/Report page: handle receiving a comment ID to report on.

Implement Likes & Notifications
* Like buttons added to Photos and Profile Pages. Implemented via simple
  vanilla JS (likes.js) to make ajax requests to back-end to like/unlike.
* Notifications: for your photo or profile being liked. If you unlike,
  the existing notifications about the like are revoked.
* The notifications appear as an alert number in the nav bar and are read
  on the User Dashboard. Click to mark a notification as "read" or click
  the "mark all as read" button.

Update DeleteUser to scrub likes, notifications, threads, and comments.
2022-08-24 21:17:34 -07:00

67 lines
1.9 KiB
Go

package middleware
import (
"context"
"net/http"
"git.kirsle.net/apps/gosocial/pkg/config"
"git.kirsle.net/apps/gosocial/pkg/log"
"git.kirsle.net/apps/gosocial/pkg/session"
"git.kirsle.net/apps/gosocial/pkg/templates"
"github.com/google/uuid"
)
// CSRF middleware. Other places to look: pkg/session/session.go, pkg/templates/template_funcs.go
func CSRF(handler http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Get or create the cookie CSRF value.
token := MakeCSRFCookie(r, w)
ctx := context.WithValue(r.Context(), session.CSRFKey, token)
// If it's a JSON post, allow it thru.
if r.Header.Get("Content-Type") == "application/json" {
handler.ServeHTTP(w, r.WithContext(ctx))
return
}
// If we are running a POST request, validate the CSRF form value.
if r.Method != http.MethodGet {
r.ParseMultipartForm(config.MultipartMaxMemory)
check := r.FormValue(config.CSRFInputName)
if check != token {
log.Error("CSRF mismatch! %s <> %s", check, token)
templates.MakeErrorPage(
"CSRF Error",
"An error occurred while processing your request. Please go back and try again.",
http.StatusForbidden,
)(w, r.WithContext(ctx))
return
}
}
handler.ServeHTTP(w, r.WithContext(ctx))
})
}
// MakeCSRFCookie gets or creates the CSRF cookie and returns its value.
func MakeCSRFCookie(r *http.Request, w http.ResponseWriter) string {
// Has a token already?
cookie, err := r.Cookie(config.CSRFCookieName)
if err == nil {
// log.Debug("MakeCSRFCookie: user has token %s", cookie.Value)
return cookie.Value
}
// Generate a new CSRF token.
token := uuid.New().String()
cookie = &http.Cookie{
Name: config.CSRFCookieName,
Value: token,
HttpOnly: true,
}
// log.Debug("MakeCSRFCookie: giving cookie value %s to user", token)
http.SetCookie(w, cookie)
return token
}