chore: fix CSRF (#876)

2 years ago · c9bb2b785d
parent 64e5c343c5
commit c9bb2b785d
2 changed files with 5 additions and 0 deletions
--- a/server/acl.go
+++ b/server/acl.go
@ -27,6 +27,7 @@ func setUserSession(ctx echo.Context, user *api.User) error {
 		Path:     "/",
 		MaxAge:   3600 * 24 * 30,
 		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
 	}
 	sess.Values[userIDContextKey] = user.ID
 	err := sess.Save(ctx.Request(), ctx.Response())
--- a/server/server.go
+++ b/server/server.go
@ -36,6 +36,10 @@ func NewServer(profile *profile.Profile) *Server {
 			`"status":${status},"error":"${error}"}` + "\n",
 	}))

+	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+		TokenLookup: "cookie:_csrf",
+	}))
+
 	e.Use(middleware.CORS())

 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{