tenseleyflow/shithub / f7c0e60

Browse files

csrf: thread cfg.Session.Secure into the cookie's Secure flag (SR2 H6)

Pre-fix: handlers.go:172 hardcoded CSRFConfig{Secure: false} with
comment 'S37 enables under TLS'. The session cookie correctly
honored cfg.Secure via server.go's session-store wiring; the CSRF
cookie did not. Caddy 301-redirects http→https in practice, but
the cookie was still settable/readable over plaintext if anyone
crafted an http:// link.

Post-fix:
- handlers.Deps gains CookieSecure: bool.
- server.go threads cfg.Session.Secure (already true on prod TLS
deployment per inventory). Tests and dev keep the false default.
- CSRFConfig.Secure now mirrors deps.CookieSecure.
Authored by espadonne
SHA
f7c0e60f54cf334a469be097383f43675482f062
Parents
6ea11a9
Tree
6ca1307

2 changed files

StatusFile+-
M internal/web/handlers/handlers.go 9 1
M internal/web/server.go 1 0
internal/web/handlers/handlers.gomodified
@@ -30,6 +30,12 @@ type Deps struct {
3030
 	StaticFS     fs.FS
3131
 	LogoSVG      string
3232
 	SessionStore session.Store
33
+	// CookieSecure is the Secure flag for session-related cookies
34
+	// (currently the CSRF cookie). Mirrors session.Config.Secure
35
+	// from the loaded config so the CSRF cookie matches the
36
+	// session cookie in TLS deployments. Defaults to false when
37
+	// unset, which is correct for tests and dev (SR2 H6).
38
+	CookieSecure bool
3339
 	// ReadyCheck is optionally invoked by /readyz. Returning a non-nil
3440
 	// error makes /readyz report 503. If nil, /readyz always reports ready.
3541
 	ReadyCheck func(context.Context) error
@@ -169,7 +175,9 @@ func RegisterChi(r *chi.Mux, deps Deps) (*chi.Mux, middleware.PanicHandler, http
169175
 	}
170176
171177
 	csrf := middleware.CSRF(middleware.CSRFConfig{
172
-		Secure: false, // S37 enables under TLS
178
+		// SR2 H6: session-cookie Secure flag mirrors here so TLS
179
+		// deployments don't accept the CSRF cookie over plaintext.
180
+		Secure: deps.CookieSecure,
173181
 		FailureHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
174182
 			rr.HTTPError(w, r, http.StatusForbidden, "csrf")
175183
 		}),
internal/web/server.gomodified
@@ -142,6 +142,7 @@ func Run(ctx context.Context, opts Options) error {
142142
 		StaticFS:     StaticFS(),
143143
 		LogoSVG:      string(logoBytes),
144144
 		SessionStore: sessionStore,
145
+		CookieSecure: cfg.Session.Secure,
145146
 	}
146147
 	if pool != nil {
147148
 		deps.ReadyCheck = func(ctx context.Context) error { return pool.Ping(ctx) }