Move to using more robust csrf protections

NHAS · Sep 13, 2023 · 90d4559 · 90d4559
1 parent 32bea0a
commit 90d4559
Show file tree

Hide file tree

Showing 13 changed files with 117 additions and 85 deletions.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/NHAS/wag
 go 1.21.0
 
 require (
-	github.com/NHAS/session v0.0.0-20230912232900-857b7061aedb
+	github.com/NHAS/session v0.0.0-20230913013109-aef0bdd63caa
 	github.com/NHAS/webauthn v0.0.0-20230701002608-24fb1253febd
 	github.com/boombuler/barcode v1.0.1
 	github.com/cilium/ebpf v0.11.0

diff --git a/go.sum b/go.sum
@@ -2,6 +2,12 @@ github.com/NHAS/session v0.0.0-20230829082122-79a308a78ac9 h1:xEvca6Mg8N0T2V5wkM
 github.com/NHAS/session v0.0.0-20230829082122-79a308a78ac9/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
 github.com/NHAS/session v0.0.0-20230912232900-857b7061aedb h1:76HnrEP5YAV0bLaFhrbVv5SuaUYH+DJnPvIXYjdDkvw=
 github.com/NHAS/session v0.0.0-20230912232900-857b7061aedb/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
+github.com/NHAS/session v0.0.0-20230912234744-c2a3c81af157 h1:elFdIrZIamHa5iUwIAjmQcvt7y1OLnqdUXly/FzmrXg=
+github.com/NHAS/session v0.0.0-20230912234744-c2a3c81af157/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
+github.com/NHAS/session v0.0.0-20230913001004-e3249bca36e8 h1:qe3uyCZEeRKTkx3UpJ8BhJcdJSnTcGc9r3QqqEDvb+M=
+github.com/NHAS/session v0.0.0-20230913001004-e3249bca36e8/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
+github.com/NHAS/session v0.0.0-20230913013109-aef0bdd63caa h1:3fKRkxqoQtbOunf2lLIYkTvEC9qw3ADlOCWaugU7S+o=
+github.com/NHAS/session v0.0.0-20230913013109-aef0bdd63caa/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
 github.com/NHAS/webauthn v0.0.0-20230701002608-24fb1253febd h1:I3Zx79SVWGG5Qq2tbJDiEiKEpuY53EpUCXx8mYLlNVg=
 github.com/NHAS/webauthn v0.0.0-20230701002608-24fb1253febd/go.mod h1:hglmpEbAdMVhruL46LJXV56PPbEJO6ovBg0uhqIG9Dw=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=

diff --git a/internal/webserver/authenticators/methods/webauthn.go b/internal/webserver/authenticators/methods/webauthn.go
@@ -28,7 +28,7 @@ type Webauthn struct {
 
 func (wa *Webauthn) Init(settings map[string]string) (err error) {
 
-	wa.sessions, err = session.NewStore[*webauthn.SessionData]("authentication", 30*time.Minute, 1800, false)
+	wa.sessions, err = session.NewStore[*webauthn.SessionData]("authentication", "WAG-CSRF", 30*time.Minute, 1800, false)
 	return err
 }
 

diff --git a/ui/src/js/devices.js b/ui/src/js/devices.js
@@ -121,7 +121,8 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -180,7 +181,8 @@ function action(onDevices, action, table) {
     credentials: 'same-origin',
     redirect: 'follow',
     headers: {
-      'Content-Type': 'application/json'
+      'Content-Type': 'application/json',
+      'WAG-CSRF': $("#csrf_token").val()
     },
     body: JSON.stringify(data)
   }).then((response) => {

diff --git a/ui/src/js/groups.js b/ui/src/js/groups.js
@@ -119,7 +119,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -179,7 +181,8 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
       },
       body: JSON.stringify(data)
     }).then((response) => {

diff --git a/ui/src/js/policy.js b/ui/src/js/policy.js
@@ -132,7 +132,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -184,7 +186,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(data)
     }).then((response) => {

diff --git a/ui/src/js/settings.js b/ui/src/js/settings.js
@@ -14,7 +14,8 @@ $(function () {
             credentials: 'same-origin',
             redirect: 'follow',
             headers: {
-                'Content-Type': 'application/json'
+                'Content-Type': 'application/json',
+                'WAG-CSRF': $("#csrf_token").val()
             },
             body: JSON.stringify(data)
         }).then((response) => {
@@ -51,7 +52,9 @@ $(function () {
             credentials: 'same-origin',
             redirect: 'follow',
             headers: {
-                'Content-Type': 'application/json'
+                'Content-Type': 'application/json',
+                'WAG-CSRF': $("#csrf_token").val()
+
             },
             body: JSON.stringify(data)
         }).then((response) => {

diff --git a/ui/src/js/tokens.js b/ui/src/js/tokens.js
@@ -99,7 +99,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then(f => {
@@ -127,7 +129,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(data)
     }).then((response) => {

diff --git a/ui/src/js/users.js b/ui/src/js/users.js
@@ -150,7 +150,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -205,7 +207,8 @@ function action(onUsers, action, table) {
     credentials: 'same-origin',
     redirect: 'follow',
     headers: {
-      'Content-Type': 'application/json'
+      'Content-Type': 'application/json',
+      'WAG-CSRF': $("#csrf_token").val()
     },
     body: JSON.stringify(data)
   }).then((response) => {

diff --git a/ui/templates/change_password.html b/ui/templates/change_password.html
@@ -7,6 +7,7 @@ <h6 class="m-0 font-weight-bold text-primary">Change Password</h6>
             </div>
             <div class="card-body">
                 <form method="POST" action="/change_password">
+                    {{ csrfToken }}
                     <div class="form-group">
                         <label for="current_password">Current Password</label>
                         <input type="password" class="form-control" id="current_password" name="current_password">

diff --git a/ui/templates/delete_modal.html b/ui/templates/delete_modal.html
@@ -1,4 +1,5 @@
 {{define "deleteConfirmationModal"}}
+{{ csrfToken }}
 <div class="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-labelledby="deleteModalLabel"
     aria-hidden="true">
     <div class="modal-dialog" role="document">

diff --git a/ui/templates/menus.html b/ui/templates/menus.html
@@ -35,7 +35,8 @@
 </head>
 
 <body id="page-top">
-
+    <!-- Main CSRF guard so that JS can read this value and use it -->
+    {{ csrfToken }}
     <!-- Page Wrapper -->
     <div id="wrapper">