Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of [`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection) which relies purely on HTTP headers. Fixes: https://github.com/go-gitea/gitea/issues/11188 Fixes: https://github.com/go-gitea/gitea/issues/30333 Helps: https://github.com/go-gitea/gitea/issues/35107 TODOs: - [x] Fix tests - [ ] Ideally add tests to validates the protection --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-04-18 07:48:48 +01:00 · 2025-12-25 11:33:34 +01:00
parent eddf875992
commit 42d294941c
207 changed files with 178 additions and 1196 deletions
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -225,16 +225,11 @@ func loginUser(t testing.TB, userName string) *TestSession {

 func loginUserWithPassword(t testing.TB, userName, password string) *TestSession {
 	t.Helper()
-	req := NewRequest(t, "GET", "/user/login")
-	resp := MakeRequest(t, req, http.StatusOK)
-
-	doc := NewHTMLParser(t, resp.Body)
-	req = NewRequestWithValues(t, "POST", "/user/login", map[string]string{
-		"_csrf":     doc.GetCSRF(),
+	req := NewRequestWithValues(t, "POST", "/user/login", map[string]string{
 		"user_name": userName,
 		"password":  password,
 	})
-	resp = MakeRequest(t, req, http.StatusSeeOther)
+	resp := MakeRequest(t, req, http.StatusSeeOther)

 	ch := http.Header{}
 	ch.Add("Cookie", strings.Join(resp.Header()["Set-Cookie"], ";"))
@@ -256,7 +251,6 @@ var tokenCounter int64
 func getTokenForLoggedInUser(t testing.TB, session *TestSession, scopes ...auth.AccessTokenScope) string {
 	t.Helper()
 	urlValues := url.Values{}
-	urlValues.Add("_csrf", GetUserCSRFToken(t, session))
 	urlValues.Add("name", fmt.Sprintf("api-testing-token-%d", atomic.AddInt64(&tokenCounter, 1)))
 	for _, scope := range scopes {
 		urlValues.Add("scope-dummy", string(scope)) // it only needs to start with "scope-" to be accepted
@@ -436,20 +430,3 @@ func VerifyJSONSchema(t testing.TB, resp *httptest.ResponseRecorder, schemaFile
 	assert.Empty(t, result.Errors())
 	assert.True(t, result.Valid())
 }
-
-// GetUserCSRFToken returns CSRF token for current user
-func GetUserCSRFToken(t testing.TB, session *TestSession) string {
-	t.Helper()
-	cookie := session.GetSiteCookie("_csrf")
-	require.NotEmpty(t, cookie)
-	return cookie
-}
-
-// GetUserCSRFToken returns CSRF token for anonymous user (not logged in)
-func GetAnonymousCSRFToken(t testing.TB, session *TestSession) string {
-	t.Helper()
-	resp := session.MakeRequest(t, NewRequest(t, "GET", "/user/login"), http.StatusOK)
-	csrfToken := NewHTMLParser(t, resp.Body).GetCSRF()
-	require.NotEmpty(t, csrfToken)
-	return csrfToken
-}