Browse Source

feat: Add TrustedOrigins to the CSRF handler

If admin_server.trusted_origins is set, have the CSRF handler allow
those origins to serve up requests.
pull/2301/head
Mark Cabanero 1 month ago
parent
commit
27813a50c6
No known key found for this signature in database GPG Key ID: F71A085C7EC91668
1 changed files with 16 additions and 3 deletions
  1. +16
    -3
      controllers/route.go

+ 16
- 3
controllers/route.go View File

@ -7,6 +7,7 @@ import (
"html/template"
"net/http"
"net/url"
"strings"
"time"
"github.com/NYTimes/gziphandler"
@ -151,9 +152,21 @@ func (as *AdminServer) registerRoutes() {
if len(csrfKey) == 0 {
csrfKey = []byte(auth.GenerateSecureKey(auth.APIKeyLength))
}
csrfHandler := csrf.Protect(csrfKey,
csrf.FieldName("csrf_token"),
csrf.Secure(as.config.UseTLS))
var csrfHandler func(http.Handler) http.Handler
if len(as.config.TrustedOrigins) > 0 {
origins := strings.Split(as.config.TrustedOrigins, ",")
csrfHandler = csrf.Protect(csrfKey,
csrf.FieldName("csrf_token"),
csrf.Secure(as.config.UseTLS),
csrf.TrustedOrigins(origins),
)
log.Infof("Starting server while trusting: %v", origins)
} else {
csrfHandler = csrf.Protect(csrfKey,
csrf.FieldName("csrf_token"),
csrf.Secure(as.config.UseTLS),
)
}
adminHandler := csrfHandler(router)
adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders)

Loading…
Cancel
Save