diff --git a/account.go b/account.go
index b93168f..66a9d24 100644
--- a/account.go
+++ b/account.go
@@ -20,6 +20,7 @@ import (
"sync"
"time"
+ "github.com/gorilla/csrf"
"github.com/gorilla/mux"
"github.com/gorilla/sessions"
"github.com/guregu/null/zero"
@@ -1082,6 +1083,7 @@ func viewSettings(app *App, u *User, w http.ResponseWriter, r *http.Request) err
HasPass bool
IsLogOut bool
Silenced bool
+ CSRFField template.HTML
OauthSection bool
OauthAccounts []oauthAccountInfo
OauthSlack bool
@@ -1098,6 +1100,7 @@ func viewSettings(app *App, u *User, w http.ResponseWriter, r *http.Request) err
HasPass: passIsSet,
IsLogOut: r.FormValue("logout") == "1",
Silenced: fullUser.IsSilenced(),
+ CSRFField: csrf.TemplateField(r),
OauthSection: displayOauthSection,
OauthAccounts: oauthAccounts,
OauthSlack: enableOauthSlack,
diff --git a/app.go b/app.go
index ed4e096..f665166 100644
--- a/app.go
+++ b/app.go
@@ -166,6 +166,14 @@ func (app *App) LoadKeys() error {
if debugging {
log.Info(" %s", emailKeyPath)
}
+
+ executable, err := os.Executable()
+ if err != nil {
+ executable = "writefreely"
+ } else {
+ executable = filepath.Base(executable)
+ }
+
app.keys.EmailKey, err = ioutil.ReadFile(emailKeyPath)
if err != nil {
return err
@@ -187,6 +195,22 @@ func (app *App) LoadKeys() error {
return err
}
+ if debugging {
+ log.Info(" %s", csrfKeyPath)
+ }
+ app.keys.CSRFKey, err = ioutil.ReadFile(csrfKeyPath)
+ if err != nil {
+ if os.IsNotExist(err) {
+ log.Error(`Missing key: %s.
+
+ Run this command to generate missing keys:
+ %s keys generate
+
+`, csrfKeyPath, executable)
+ }
+ return err
+ }
+
return nil
}
@@ -637,6 +661,10 @@ func GenerateKeyFiles(app *App) error {
if err != nil {
keyErrs = err
}
+ err = generateKey(csrfKeyPath)
+ if err != nil {
+ keyErrs = err
+ }
return keyErrs
}
diff --git a/go.mod b/go.mod
index 3006fa6..bb69895 100644
--- a/go.mod
+++ b/go.mod
@@ -7,6 +7,7 @@ require (
github.com/go-sql-driver/mysql v1.6.0
github.com/go-test/deep v1.0.1 // indirect
github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
+ github.com/gorilla/csrf v1.7.0
github.com/gorilla/feeds v1.1.1
github.com/gorilla/mux v1.8.0
github.com/gorilla/schema v1.2.0
@@ -22,7 +23,6 @@ require (
github.com/microcosm-cc/bluemonday v1.0.5
github.com/mitchellh/go-wordwrap v1.0.1
github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d
- github.com/pkg/errors v0.8.1 // indirect
github.com/prologic/go-gopher v0.0.0-20200721020712-3e11dcff0469
github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be // indirect
github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 // indirect
diff --git a/go.sum b/go.sum
index b8adf04..354a1dd 100644
--- a/go.sum
+++ b/go.sum
@@ -44,6 +44,8 @@ github.com/gologme/log v1.2.0 h1:Ya5Ip/KD6FX7uH0S31QO87nCCSucKtF44TLbTtO7V4c=
github.com/gologme/log v1.2.0/go.mod h1:gq31gQ8wEHkR+WekdWsqDuf8pXTUZA9BnnzTuPz1Y9U=
github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e h1:JKmoR8x90Iww1ks85zJ1lfDGgIiMDuIptTOhJq+zKyg=
github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/csrf v1.7.0 h1:mMPjV5/3Zd460xCavIkppUdvnl5fPXMpv2uz2Zyg7/Y=
+github.com/gorilla/csrf v1.7.0/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
github.com/gorilla/feeds v1.1.1 h1:HwKXxqzcRNg9to+BbvJog4+f3s/xzvtZXICcQGutYfY=
@@ -99,6 +101,8 @@ github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/
github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prologic/go-gopher v0.0.0-20200721020712-3e11dcff0469 h1:rAbv2gekFbUcjhUkruwo0vMJ0JqhUgg9tz7t+bxHbN4=
diff --git a/key/key.go b/key/key.go
index 1cb3cf8..25490ca 100644
--- a/key/key.go
+++ b/key/key.go
@@ -1,5 +1,5 @@
/*
- * Copyright © 2019 A Bunch Tell LLC.
+ * Copyright © 2019, 2021 A Bunch Tell LLC.
*
* This file is part of WriteFreely.
*
@@ -20,7 +20,7 @@ const (
)
type Keychain struct {
- EmailKey, CookieAuthKey, CookieKey []byte
+ EmailKey, CookieAuthKey, CookieKey, CSRFKey []byte
}
// GenerateKeys generates necessary keys for the app on the given Keychain,
@@ -47,6 +47,12 @@ func (keys *Keychain) GenerateKeys() error {
keyErrs = err
}
}
+ if len(keys.CSRFKey) == 0 {
+ keys.CSRFKey, err = GenerateBytes(EncKeysBytes)
+ if err != nil {
+ keyErrs = err
+ }
+ }
return keyErrs
}
diff --git a/keys.go b/keys.go
index e53d811..1b43d0b 100644
--- a/keys.go
+++ b/keys.go
@@ -26,6 +26,7 @@ var (
emailKeyPath = filepath.Join(keysDir, "email.aes256")
cookieAuthKeyPath = filepath.Join(keysDir, "cookies_auth.aes256")
cookieKeyPath = filepath.Join(keysDir, "cookies_enc.aes256")
+ csrfKeyPath = filepath.Join(keysDir, "csrf.aes256")
)
// InitKeys loads encryption keys into memory via the given Apper interface
@@ -42,6 +43,7 @@ func initKeyPaths(app *App) {
emailKeyPath = filepath.Join(app.cfg.Server.KeysParentDir, emailKeyPath)
cookieAuthKeyPath = filepath.Join(app.cfg.Server.KeysParentDir, cookieAuthKeyPath)
cookieKeyPath = filepath.Join(app.cfg.Server.KeysParentDir, cookieKeyPath)
+ csrfKeyPath = filepath.Join(app.cfg.Server.KeysParentDir, csrfKeyPath)
}
// generateKey generates a key at the given path used for the encryption of
diff --git a/routes.go b/routes.go
index c4e7c07..2b23bd1 100644
--- a/routes.go
+++ b/routes.go
@@ -16,6 +16,7 @@ import (
"path/filepath"
"strings"
+ "github.com/gorilla/csrf"
"github.com/gorilla/mux"
"github.com/writeas/go-webfinger"
"github.com/writeas/web-core/log"
@@ -98,7 +99,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
me.HandleFunc("/c/", handler.User(viewCollections)).Methods("GET")
me.HandleFunc("/c/{collection}", handler.User(viewEditCollection)).Methods("GET")
me.HandleFunc("/c/{collection}/stats", handler.User(viewStats)).Methods("GET")
- me.HandleFunc("/delete", handler.User(handleUserDelete)).Methods("POST")
+ me.Path("/delete").Handler(csrf.Protect(apper.App().keys.CSRFKey)(handler.User(handleUserDelete))).Methods("POST")
me.HandleFunc("/posts", handler.Redirect("/me/posts/", UserLevelUser)).Methods("GET")
me.HandleFunc("/posts/", handler.User(viewArticles)).Methods("GET")
me.HandleFunc("/posts/export.csv", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET")
@@ -107,7 +108,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
me.HandleFunc("/export", handler.User(viewExportOptions)).Methods("GET")
me.HandleFunc("/export.json", handler.Download(viewExportFull, UserLevelUser)).Methods("GET")
me.HandleFunc("/import", handler.User(viewImport)).Methods("GET")
- me.HandleFunc("/settings", handler.User(viewSettings)).Methods("GET")
+ me.Path("/settings").Handler(csrf.Protect(apper.App().keys.CSRFKey)(handler.User(viewSettings))).Methods("GET")
me.HandleFunc("/invites", handler.User(handleViewUserInvites)).Methods("GET")
me.HandleFunc("/logout", handler.Web(viewLogout, UserLevelNone)).Methods("GET")
diff --git a/templates/user/settings.tmpl b/templates/user/settings.tmpl
index c17a99f..7a90fb7 100644
--- a/templates/user/settings.tmpl
+++ b/templates/user/settings.tmpl
@@ -181,6 +181,7 @@ h3 { font-weight: normal; }