root
/
threadr.lostcave.ddnss.de
3
1
Fork 2
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Add CSRF checks to chat.

jocadbz
Joca 2026-03-06 14:53:40 -03:00
parent f3749b3812
commit 7a5b0f8ca5
Signed by: jocadbz
GPG Key ID: B1836DCE2F50BDF7
3 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
handlers/chat.go
View File

@ -147,6 +147,11 @@ func ChatHandler(app *App) http.HandlerFunc {
currentUsername := currentUser.Username
if r.URL.Query().Get("ws") == "true" {
if !app.validateCSRFToken(r, session) {
http.Error(w, "Invalid CSRF token", http.StatusForbidden)
return
}
ws, err := upgrader.Upgrade(w, r, nil)
if err != nil {
log.Printf("Error upgrading to WebSocket: %v", err)
@ -240,6 +245,7 @@ func ChatHandler(app *App) http.HandlerFunc {
CurrentURL: r.URL.RequestURI(),
ContentTemplate: "chat-content",
BodyClass: "chat-page",
CSRFToken: app.csrfToken(session),
},
Board: *board,
Messages: messages,

5
static/chat.js
View File

@ -9,6 +9,7 @@
const boardId = chatContainer.dataset.boardId;
const basePath = chatContainer.dataset.basePath || '';
const currentUsername = chatContainer.dataset.currentUsername || '';
const csrfToken = chatContainer.dataset.csrfToken || '';
const usernamesScript = document.getElementById('chat-usernames');
let allUsernames = [];
if (usernamesScript) {
@ -54,7 +55,9 @@
}
updateConnectionStatus('connecting');
ws = new WebSocket('ws://' + window.location.host + basePath + '/chat/?ws=true&id=' + boardId);
const protocol = window.location.protocol === 'https:' ? 'wss://' : 'ws://';
const query = new URLSearchParams({ ws: 'true', id: boardId, csrf_token: csrfToken });
ws = new WebSocket(protocol + window.location.host + basePath + '/chat/?' + query.toString());
ws.onopen = function() {
updateConnectionStatus('connected');

4
templates/pages/chat.html
View File

@ -12,10 +12,10 @@
<script src="{{.StaticPath}}/app.js" defer></script>
<script src="{{.StaticPath}}/chat.js" defer></script>
</head>
<body class="chat-page">
<body class="chat-page" data-csrf-token="{{.CSRFToken}}">
{{template "navbar" .}}
<main>
<div class="chat-container" data-board-id="{{.Board.ID}}" data-base-path="{{.BasePath}}" data-current-username="{{.CurrentUsername}}">
<div class="chat-container" data-board-id="{{.Board.ID}}" data-base-path="{{.BasePath}}" data-current-username="{{.CurrentUsername}}" data-csrf-token="{{.CSRFToken}}">
<div class="chat-breadcrumb">
<a href="{{.BasePath}}/">Home</a>
<span class="chat-breadcrumb-separator"></span>