From 90d45591621a318b5580de2b9d4ce0ffd62f7174 Mon Sep 17 00:00:00 2001
From: NHAS <jordanatararimu@gmail.com>
Date: Wed, 13 Sep 2023 13:36:25 +1200
Subject: [PATCH] Move to using more robust csrf protections

---
 go.mod                                        |   2 +-
 go.sum                                        |   6 +
 .../authenticators/methods/webauthn.go        |   2 +-
 ui/src/js/devices.js                          |   6 +-
 ui/src/js/groups.js                           |   7 +-
 ui/src/js/policy.js                           |   8 +-
 ui/src/js/settings.js                         |   7 +-
 ui/src/js/tokens.js                           |   8 +-
 ui/src/js/users.js                            |   7 +-
 ui/templates/change_password.html             |   1 +
 ui/templates/delete_modal.html                |   1 +
 ui/templates/menus.html                       |   3 +-
 ui/ui_webserver.go                            | 144 +++++++++---------
 13 files changed, 117 insertions(+), 85 deletions(-)

diff --git a/go.mod b/go.mod
index 905e8df4..ed8d9651 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/NHAS/wag
 go 1.21.0
 
 require (
-	github.com/NHAS/session v0.0.0-20230912232900-857b7061aedb
+	github.com/NHAS/session v0.0.0-20230913013109-aef0bdd63caa
 	github.com/NHAS/webauthn v0.0.0-20230701002608-24fb1253febd
 	github.com/boombuler/barcode v1.0.1
 	github.com/cilium/ebpf v0.11.0
diff --git a/go.sum b/go.sum
index 23be6815..73ccb3b1 100644
--- a/go.sum
+++ b/go.sum
@@ -2,6 +2,12 @@ github.com/NHAS/session v0.0.0-20230829082122-79a308a78ac9 h1:xEvca6Mg8N0T2V5wkM
 github.com/NHAS/session v0.0.0-20230829082122-79a308a78ac9/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
 github.com/NHAS/session v0.0.0-20230912232900-857b7061aedb h1:76HnrEP5YAV0bLaFhrbVv5SuaUYH+DJnPvIXYjdDkvw=
 github.com/NHAS/session v0.0.0-20230912232900-857b7061aedb/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
+github.com/NHAS/session v0.0.0-20230912234744-c2a3c81af157 h1:elFdIrZIamHa5iUwIAjmQcvt7y1OLnqdUXly/FzmrXg=
+github.com/NHAS/session v0.0.0-20230912234744-c2a3c81af157/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
+github.com/NHAS/session v0.0.0-20230913001004-e3249bca36e8 h1:qe3uyCZEeRKTkx3UpJ8BhJcdJSnTcGc9r3QqqEDvb+M=
+github.com/NHAS/session v0.0.0-20230913001004-e3249bca36e8/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
+github.com/NHAS/session v0.0.0-20230913013109-aef0bdd63caa h1:3fKRkxqoQtbOunf2lLIYkTvEC9qw3ADlOCWaugU7S+o=
+github.com/NHAS/session v0.0.0-20230913013109-aef0bdd63caa/go.mod h1:RrYUQgrmfMmXblxB8uWEWhmTKk24PT/VoMsyQ5PD580=
 github.com/NHAS/webauthn v0.0.0-20230701002608-24fb1253febd h1:I3Zx79SVWGG5Qq2tbJDiEiKEpuY53EpUCXx8mYLlNVg=
 github.com/NHAS/webauthn v0.0.0-20230701002608-24fb1253febd/go.mod h1:hglmpEbAdMVhruL46LJXV56PPbEJO6ovBg0uhqIG9Dw=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
diff --git a/internal/webserver/authenticators/methods/webauthn.go b/internal/webserver/authenticators/methods/webauthn.go
index addc752a..a65a9292 100644
--- a/internal/webserver/authenticators/methods/webauthn.go
+++ b/internal/webserver/authenticators/methods/webauthn.go
@@ -28,7 +28,7 @@ type Webauthn struct {
 
 func (wa *Webauthn) Init(settings map[string]string) (err error) {
 
-	wa.sessions, err = session.NewStore[*webauthn.SessionData]("authentication", 30*time.Minute, 1800, false)
+	wa.sessions, err = session.NewStore[*webauthn.SessionData]("authentication", "WAG-CSRF", 30*time.Minute, 1800, false)
 	return err
 }
 
diff --git a/ui/src/js/devices.js b/ui/src/js/devices.js
index 7604c9fe..21c4c9c0 100755
--- a/ui/src/js/devices.js
+++ b/ui/src/js/devices.js
@@ -121,7 +121,8 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -180,7 +181,8 @@ function action(onDevices, action, table) {
     credentials: 'same-origin',
     redirect: 'follow',
     headers: {
-      'Content-Type': 'application/json'
+      'Content-Type': 'application/json',
+      'WAG-CSRF': $("#csrf_token").val()
     },
     body: JSON.stringify(data)
   }).then((response) => {
diff --git a/ui/src/js/groups.js b/ui/src/js/groups.js
index 339a476f..6dacf6e7 100755
--- a/ui/src/js/groups.js
+++ b/ui/src/js/groups.js
@@ -119,7 +119,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -179,7 +181,8 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
       },
       body: JSON.stringify(data)
     }).then((response) => {
diff --git a/ui/src/js/policy.js b/ui/src/js/policy.js
index 53bf0b4b..20afdf43 100755
--- a/ui/src/js/policy.js
+++ b/ui/src/js/policy.js
@@ -132,7 +132,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -184,7 +186,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(data)
     }).then((response) => {
diff --git a/ui/src/js/settings.js b/ui/src/js/settings.js
index c1eea2b8..e78630ae 100644
--- a/ui/src/js/settings.js
+++ b/ui/src/js/settings.js
@@ -14,7 +14,8 @@ $(function () {
             credentials: 'same-origin',
             redirect: 'follow',
             headers: {
-                'Content-Type': 'application/json'
+                'Content-Type': 'application/json',
+                'WAG-CSRF': $("#csrf_token").val()
             },
             body: JSON.stringify(data)
         }).then((response) => {
@@ -51,7 +52,9 @@ $(function () {
             credentials: 'same-origin',
             redirect: 'follow',
             headers: {
-                'Content-Type': 'application/json'
+                'Content-Type': 'application/json',
+                'WAG-CSRF': $("#csrf_token").val()
+
             },
             body: JSON.stringify(data)
         }).then((response) => {
diff --git a/ui/src/js/tokens.js b/ui/src/js/tokens.js
index 36f27eff..cd1beb53 100755
--- a/ui/src/js/tokens.js
+++ b/ui/src/js/tokens.js
@@ -99,7 +99,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then(f => {
@@ -127,7 +129,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(data)
     }).then((response) => {
diff --git a/ui/src/js/users.js b/ui/src/js/users.js
index 81fe1599..59b150ce 100755
--- a/ui/src/js/users.js
+++ b/ui/src/js/users.js
@@ -150,7 +150,9 @@ $(function () {
       credentials: 'same-origin',
       redirect: 'follow',
       headers: {
-        'Content-Type': 'application/json'
+        'Content-Type': 'application/json',
+        'WAG-CSRF': $("#csrf_token").val()
+
       },
       body: JSON.stringify(ids)
     }).then((response) => {
@@ -205,7 +207,8 @@ function action(onUsers, action, table) {
     credentials: 'same-origin',
     redirect: 'follow',
     headers: {
-      'Content-Type': 'application/json'
+      'Content-Type': 'application/json',
+      'WAG-CSRF': $("#csrf_token").val()
     },
     body: JSON.stringify(data)
   }).then((response) => {
diff --git a/ui/templates/change_password.html b/ui/templates/change_password.html
index 44379d0b..ef7dbf3e 100755
--- a/ui/templates/change_password.html
+++ b/ui/templates/change_password.html
@@ -7,6 +7,7 @@ <h6 class="m-0 font-weight-bold text-primary">Change Password</h6>
             </div>
             <div class="card-body">
                 <form method="POST" action="/change_password">
+                    {{ csrfToken }}
                     <div class="form-group">
                         <label for="current_password">Current Password</label>
                         <input type="password" class="form-control" id="current_password" name="current_password">
diff --git a/ui/templates/delete_modal.html b/ui/templates/delete_modal.html
index 0c2ca191..c00e80bd 100644
--- a/ui/templates/delete_modal.html
+++ b/ui/templates/delete_modal.html
@@ -1,4 +1,5 @@
 {{define "deleteConfirmationModal"}}
+{{ csrfToken }}
 <div class="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-labelledby="deleteModalLabel"
     aria-hidden="true">
     <div class="modal-dialog" role="document">
diff --git a/ui/templates/menus.html b/ui/templates/menus.html
index 36d577c1..70ac6831 100755
--- a/ui/templates/menus.html
+++ b/ui/templates/menus.html
@@ -35,7 +35,8 @@
 </head>
 
 <body id="page-top">
-
+    <!-- Main CSRF guard so that JS can read this value and use it -->
+    {{ csrfToken }}
     <!-- Page Wrapper -->
     <div id="wrapper">
 
diff --git a/ui/ui_webserver.go b/ui/ui_webserver.go
index 358cfa7e..2851c10a 100644
--- a/ui/ui_webserver.go
+++ b/ui/ui_webserver.go
@@ -11,6 +11,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -24,44 +25,60 @@ import (
 )
 
 var (
-	uiTemplates map[string]*template.Template = map[string]*template.Template{
-		"dashboard": template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/management/dashboard.html")),
+	sessionManager *session.SessionStore[data.AdminModel]
+	ctrl           *wagctl.CtrlClient
 
-		"users":               template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/management/users.html", "templates/delete_modal.html")),
-		"devices":             template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/management/devices.html", "templates/delete_modal.html")),
-		"registration_tokens": template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/management/registration_tokens.html", "templates/delete_modal.html")),
+	WagVersion string
 
-		"rules":  template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/policy/rules.html", "templates/delete_modal.html")),
-		"groups": template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/policy/groups.html", "templates/delete_modal.html")),
+	LogQueue = NewQueue(40)
+)
 
-		"general":          template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/settings/general.html")),
-		"management_users": template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/settings/management_users.html")),
-		"change_password":  template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/change_password.html")),
+func renderDefaults(w http.ResponseWriter, r *http.Request, model interface{}, content ...string) error {
 
-		"firewall": template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/diagnostics/firewall_state.html")),
-		"wg":       template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/diagnostics/wireguard_peers.html")),
+	contentPath := []string{"templates/menus.html"}
+	for _, path := range content {
+		contentPath = append(contentPath, "templates/"+path)
+	}
+
+	return render(w, r, model, contentPath...)
+
+}
 
-		"error": template.Must(template.ParseFS(templatesContent, "templates/menus.html", "templates/error.html")),
-		"login": template.Must(template.ParseFS(templatesContent, "templates/login.html")),
+func render(w http.ResponseWriter, r *http.Request, model interface{}, content ...string) error {
+
+	name := ""
+	if len(content) > 0 {
+		name = filepath.Base(content[0])
 	}
 
-	sessionManager *session.SessionStore[data.AdminModel]
-	ctrl           *wagctl.CtrlClient
+	parsed, err := template.New(name).Funcs(template.FuncMap{
+		"csrfToken": func() template.HTML {
+			t, _ := sessionManager.GenerateCSRFTokenTemplateHTML(r)
 
-	WagVersion string
+			return t
+		},
+	}).ParseFS(templatesContent, content...)
+	if err != nil {
+		return fmt.Errorf("parse %s: %v", content, err)
+	}
 
-	LogQueue = NewQueue(40)
-)
+	if err := parsed.Execute(w, model); err != nil {
+		return fmt.Errorf("execute %s: %v", content, err)
+	}
+
+	return nil
+}
 
 func doLogin(w http.ResponseWriter, r *http.Request) {
 
 	switch r.Method {
 	case "GET":
-		err := uiTemplates["login"].Execute(w, nil)
+
+		err := render(w, r, nil, "templates/login.html")
 
 		if err != nil {
 			log.Println("unable to render login template:", err)
-			uiTemplates["error"].Execute(w, nil)
+			renderDefaults(w, r, nil, "error.html")
 
 			return
 		}
@@ -70,8 +87,7 @@ func doLogin(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			log.Println("bad form value: ", err)
 
-			uiTemplates["login"].Execute(w, Login{ErrorMessage: "Unable to login"})
-
+			render(w, r, Login{ErrorMessage: "Unable to login"}, "templates/login.html")
 			return
 		}
 
@@ -79,14 +95,14 @@ func doLogin(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			log.Println("admin login failed for user", r.Form.Get("username"), ": ", err)
 
-			uiTemplates["login"].Execute(w, Login{ErrorMessage: "Unable to login"})
+			render(w, r, Login{ErrorMessage: "Unable to login"}, "templates/login.html")
 			return
 		}
 
 		if err := data.SetLastLoginInformation(r.Form.Get("username"), r.RemoteAddr); err != nil {
 			log.Println("unable to login: ", err)
 
-			uiTemplates["login"].Execute(w, Login{ErrorMessage: "Unable to login"})
+			render(w, r, Login{ErrorMessage: "Unable to login"}, "templates/login.html")
 			return
 		}
 
@@ -94,7 +110,7 @@ func doLogin(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			log.Println("unable to login: ", err)
 
-			uiTemplates["login"].Execute(w, Login{ErrorMessage: "Unable to login"})
+			render(w, r, Login{ErrorMessage: "Unable to login"}, "templates/login.html")
 			return
 		}
 
@@ -102,7 +118,7 @@ func doLogin(w http.ResponseWriter, r *http.Request) {
 
 		log.Println(r.Form.Get("username"), r.RemoteAddr, "admin logged in")
 
-		http.Redirect(w, r, "/dashboard", http.StatusTemporaryRedirect)
+		http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
 
 	default:
 		http.NotFound(w, r)
@@ -123,7 +139,7 @@ func populateDashboard(w http.ResponseWriter, r *http.Request) {
 		log.Println("error getting users: ", err)
 
 		w.WriteHeader(http.StatusInternalServerError)
-		uiTemplates["error"].Execute(w, nil)
+		renderDefaults(w, r, nil, "error.html")
 		return
 	}
 
@@ -140,7 +156,7 @@ func populateDashboard(w http.ResponseWriter, r *http.Request) {
 		log.Println("error getting devices: ", err)
 
 		w.WriteHeader(http.StatusInternalServerError)
-		uiTemplates["error"].Execute(w, nil)
+		renderDefaults(w, r, nil, "error.html")
 		return
 	}
 
@@ -162,7 +178,7 @@ func populateDashboard(w http.ResponseWriter, r *http.Request) {
 		log.Println("error getting registrations: ", err)
 
 		w.WriteHeader(http.StatusInternalServerError)
-		uiTemplates["error"].Execute(w, nil)
+		renderDefaults(w, r, nil, "error.html")
 		return
 	}
 
@@ -171,7 +187,7 @@ func populateDashboard(w http.ResponseWriter, r *http.Request) {
 		log.Println("error getting server details: ", err)
 
 		w.WriteHeader(http.StatusInternalServerError)
-		uiTemplates["error"].Execute(w, nil)
+		renderDefaults(w, r, nil, "error.html")
 		return
 	}
 
@@ -198,13 +214,13 @@ func populateDashboard(w http.ResponseWriter, r *http.Request) {
 		LogItems:           LogQueue.ReadAll(),
 	}
 
-	err = uiTemplates["dashboard"].Execute(w, d)
+	err = renderDefaults(w, r, d, "management/dashboard.html")
 
 	if err != nil {
 		log.Println("unable to render dashboard page: ", err)
 
 		w.WriteHeader(http.StatusInternalServerError)
-		uiTemplates["error"].Execute(w, nil)
+		renderDefaults(w, r, nil, "error.html")
 		return
 	}
 }
@@ -258,7 +274,7 @@ func StartWebServer(errs chan<- error) error {
 		}
 	}
 
-	sessionManager, err = session.NewStore[data.AdminModel]("admin", 1*time.Hour, 28800, false)
+	sessionManager, err = session.NewStore[data.AdminModel]("admin", "WAG-CSRF", 1*time.Hour, 28800, false)
 	if err != nil {
 		return err
 	}
@@ -338,15 +354,7 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["wg"].Execute(w, d)
-
-			if err != nil {
-				log.Println("unable to render wg devices page: ", err)
-
-				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
-				return
-			}
+			renderDefaults(w, r, d, "diagnostics/wireguard_peers.html")
 		})
 
 		protectedRoutes.HandleFunc("/diag/wg/data", func(w http.ResponseWriter, r *http.Request) {
@@ -430,13 +438,13 @@ func StartWebServer(errs chan<- error) error {
 				XDPState: string(result),
 			}
 
-			err = uiTemplates["firewall"].Execute(w, d)
+			err = renderDefaults(w, r, d, "diagnostics/firewall_state.html")
 
 			if err != nil {
 				log.Println("unable to render firewall page: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 
@@ -462,13 +470,13 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["users"].Execute(w, d)
+			err := renderDefaults(w, r, d, "management/users.html", "delete_modal.html")
 
 			if err != nil {
 				log.Println("unable to render users page: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -495,13 +503,13 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["devices"].Execute(w, d)
+			err := renderDefaults(w, r, d, "management/devices.html", "delete_modal.html")
 
 			if err != nil {
 				log.Println("unable to render devices page: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -528,13 +536,12 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["registration_tokens"].Execute(w, d)
-
+			err := renderDefaults(w, r, d, "management/registration_tokens.html", "delete_modal.html")
 			if err != nil {
 				log.Println("unable to render registration_tokens page: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -560,13 +567,13 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["rules"].Execute(w, d)
+			err := renderDefaults(w, r, d, "policy/rules.html", "delete_modal.html")
 
 			if err != nil {
 				log.Println("unable to render rules page: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -593,13 +600,13 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["groups"].Execute(w, d)
+			err := renderDefaults(w, r, d, "policy/groups.html", "delete_modal.html")
 
 			if err != nil {
 				log.Println("unable to render groups page: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -642,13 +649,12 @@ func StartWebServer(errs chan<- error) error {
 				WebauthnEnabled:          false,
 			}
 
-			err := uiTemplates["general"].Execute(w, d)
-
+			err := renderDefaults(w, r, d, "settings/general.html")
 			if err != nil {
 				log.Println("unable to render general: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -675,13 +681,13 @@ func StartWebServer(errs chan<- error) error {
 				WagVersion:  WagVersion,
 			}
 
-			err := uiTemplates["management_users"].Execute(w, d)
+			err := renderDefaults(w, r, d, "settings/management_users.html")
 
 			if err != nil {
 				log.Println("unable to render management_users: ", err)
 
 				w.WriteHeader(http.StatusInternalServerError)
-				uiTemplates["error"].Execute(w, nil)
+				renderDefaults(w, r, nil, "error.html")
 				return
 			}
 		})
@@ -776,11 +782,10 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case "GET":
 
-		err := uiTemplates["change_password"].Execute(w, d)
-
+		err := renderDefaults(w, r, d, "change_password.html")
 		if err != nil {
 			log.Println("unable to render change password page: ", err)
-			uiTemplates["error"].Execute(w, nil)
+			renderDefaults(w, r, nil, "error.html")
 			return
 		}
 
@@ -796,7 +801,7 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 			d.Message = "Error"
 			d.Type = 1
 
-			uiTemplates["change_password"].Execute(w, d)
+			renderDefaults(w, r, d, "change_password.html")
 			return
 		}
 
@@ -807,7 +812,7 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 			d.Message = "Current password is incorrect"
 			d.Type = 1
 
-			uiTemplates["change_password"].Execute(w, d)
+			renderDefaults(w, r, d, "change_password.html")
 			return
 		}
 
@@ -817,7 +822,7 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 			d.Message = "New passwords do not match"
 			d.Type = 1
 
-			uiTemplates["change_password"].Execute(w, d)
+			renderDefaults(w, r, d, "change_password.html")
 			return
 		}
 
@@ -828,12 +833,11 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 			d.Message = "Error: " + err.Error()
 			d.Type = 1
 
-			uiTemplates["change_password"].Execute(w, d)
+			renderDefaults(w, r, d, "change_password.html")
 			return
 		}
 
-		uiTemplates["change_password"].Execute(w, ChangePassword{Message: "Success!", Type: 0})
-
+		renderDefaults(w, r, ChangePassword{Message: "Success!", Type: 0}, "change_password.html")
 	}
 
 }