Add CSRF checks to signup.

2026-03-06 14:51:14 -03:00 · 2026-03-06 14:51:14 -03:00 · 48363ccef9
parent ff4e05fd0b
commit 48363ccef9
2 changed files with 10 additions and 1 deletions
--- a/handlers/signup.go
+++ b/handlers/signup.go
@ -12,6 +12,11 @@ func SignupHandler(app *App) http.HandlerFunc {
 		session := r.Context().Value("session").(*sessions.Session)
 		cookie, _ := r.Cookie("threadr_cookie_banner")
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			username := r.FormValue("username")
 			password := r.FormValue("password")
 			passwordConfirm := r.FormValue("password_confirm")
@ -31,6 +36,7 @@ func SignupHandler(app *App) http.HandlerFunc {
 						BasePath:         app.Config.ThreadrDir,
 						StaticPath:       app.Config.ThreadrDir + "/static",
 						CurrentURL:       r.URL.RequestURI(),
+						CSRFToken:        app.csrfToken(session),
 					},
 					Error: "Passwords do not match. Please try again.",
 				}
@ -57,6 +63,7 @@ func SignupHandler(app *App) http.HandlerFunc {
 						BasePath:         app.Config.ThreadrDir,
 						StaticPath:       app.Config.ThreadrDir + "/static",
 						CurrentURL:       r.URL.RequestURI(),
+						CSRFToken:        app.csrfToken(session),
 					},
 					Error: "An error occurred during sign up. Please try again.",
 				}
@ -82,6 +89,7 @@ func SignupHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			Error: "",
 		}
--- a/templates/pages/signup.html
+++ b/templates/pages/signup.html
@ -17,6 +17,7 @@
            <p class="field-error" style="text-align: center; font-size: 1em;">{{.Error}}</p>
            {{end}}
            <form method="post" action="{{.BasePath}}/signup/">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                <label for="username">Username:</label>
                <input type="text" id="username" name="username" required autocomplete="username" minlength="3" maxlength="30"><br>
                <label for="password">Password:</label>
@ -30,4 +31,4 @@
    {{template "cookie_banner" .}}
 </body>
 </html>
-{{end}}
+{{end}}