Add CSRF checks to chat.
parent
f3749b3812
commit
7a5b0f8ca5
GPG Key ID:
B1836DCE2F50BDF7
|
|
@ -147,6 +147,11 @@ func ChatHandler(app *App) http.HandlerFunc {
|
||||||
currentUsername := currentUser.Username
|
currentUsername := currentUser.Username
|
||||||
|
|
||||||
if r.URL.Query().Get("ws") == "true" {
|
if r.URL.Query().Get("ws") == "true" {
|
||||||
|
if !app.validateCSRFToken(r, session) {
|
||||||
|
http.Error(w, "Invalid CSRF token", http.StatusForbidden)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
ws, err := upgrader.Upgrade(w, r, nil)
|
ws, err := upgrader.Upgrade(w, r, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Error upgrading to WebSocket: %v", err)
|
log.Printf("Error upgrading to WebSocket: %v", err)
|
||||||
|
|
@ -240,6 +245,7 @@ func ChatHandler(app *App) http.HandlerFunc {
|
||||||
CurrentURL: r.URL.RequestURI(),
|
CurrentURL: r.URL.RequestURI(),
|
||||||
ContentTemplate: "chat-content",
|
ContentTemplate: "chat-content",
|
||||||
BodyClass: "chat-page",
|
BodyClass: "chat-page",
|
||||||
|
CSRFToken: app.csrfToken(session),
|
||||||
},
|
},
|
||||||
Board: *board,
|
Board: *board,
|
||||||
Messages: messages,
|
Messages: messages,
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@
|
||||||
const boardId = chatContainer.dataset.boardId;
|
const boardId = chatContainer.dataset.boardId;
|
||||||
const basePath = chatContainer.dataset.basePath || '';
|
const basePath = chatContainer.dataset.basePath || '';
|
||||||
const currentUsername = chatContainer.dataset.currentUsername || '';
|
const currentUsername = chatContainer.dataset.currentUsername || '';
|
||||||
|
const csrfToken = chatContainer.dataset.csrfToken || '';
|
||||||
const usernamesScript = document.getElementById('chat-usernames');
|
const usernamesScript = document.getElementById('chat-usernames');
|
||||||
let allUsernames = [];
|
let allUsernames = [];
|
||||||
if (usernamesScript) {
|
if (usernamesScript) {
|
||||||
|
|
@ -54,7 +55,9 @@
|
||||||
}
|
}
|
||||||
updateConnectionStatus('connecting');
|
updateConnectionStatus('connecting');
|
||||||
|
|
||||||
ws = new WebSocket('ws://' + window.location.host + basePath + '/chat/?ws=true&id=' + boardId);
|
const protocol = window.location.protocol === 'https:' ? 'wss://' : 'ws://';
|
||||||
|
const query = new URLSearchParams({ ws: 'true', id: boardId, csrf_token: csrfToken });
|
||||||
|
ws = new WebSocket(protocol + window.location.host + basePath + '/chat/?' + query.toString());
|
||||||
|
|
||||||
ws.onopen = function() {
|
ws.onopen = function() {
|
||||||
updateConnectionStatus('connected');
|
updateConnectionStatus('connected');
|
||||||
|
|
|
||||||
|
|
@ -12,10 +12,10 @@
|
||||||
<script src="{{.StaticPath}}/app.js" defer></script>
|
<script src="{{.StaticPath}}/app.js" defer></script>
|
||||||
<script src="{{.StaticPath}}/chat.js" defer></script>
|
<script src="{{.StaticPath}}/chat.js" defer></script>
|
||||||
</head>
|
</head>
|
||||||
<body class="chat-page">
|
<body class="chat-page" data-csrf-token="{{.CSRFToken}}">
|
||||||
{{template "navbar" .}}
|
{{template "navbar" .}}
|
||||||
<main>
|
<main>
|
||||||
<div class="chat-container" data-board-id="{{.Board.ID}}" data-base-path="{{.BasePath}}" data-current-username="{{.CurrentUsername}}">
|
<div class="chat-container" data-board-id="{{.Board.ID}}" data-base-path="{{.BasePath}}" data-current-username="{{.CurrentUsername}}" data-csrf-token="{{.CSRFToken}}">
|
||||||
<div class="chat-breadcrumb">
|
<div class="chat-breadcrumb">
|
||||||
<a href="{{.BasePath}}/">Home</a>
|
<a href="{{.BasePath}}/">Home</a>
|
||||||
<span class="chat-breadcrumb-separator">›</span>
|
<span class="chat-breadcrumb-separator">›</span>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue