SynLotto/website
1
0
Fork 0
Code Issues 19 Pull Requests Actions Packages Projects 5 Releases Wiki Activity

Enhance CSRF Middleware Integration and Template Token Injection #15

New Issue
Open
opened 2025-10-29 07:54:47 +00:00 by H3ALY · 0 comments
H3ALY commented 2025-10-29 07:54:47 +00:00
Owner
Copy Link

Description:
CSRF protection is currently applied globally via nosurf in internal/platform/csrf.Wrap. While this correctly enforces CSRF validation for state-changing requests, template rendering does not automatically include CSRF tokens, requiring manual retrieval in route handlers. Cookie defaults also need tuning for stricter security and configurable behavior.

Refining how CSRF tokens are surfaced to templates, and expanding cookie configuration options, will improve both security and developer ergonomics.

Current Behavior (as observed in code):

csrf.Wrap() correctly wraps SCS.LoadAndSave(router) (good middleware order)

Secure + HttpOnly + SameSite=Lax defaults applied

CSRF cookie name configurable

No built-in mechanism to push tokens into Gin template context

Cookie lacks optional attributes (MaxAge, Domain)

No ability to selectively disable CSRF for routes such as webhooks or health checks

Why this matters:

Every POST form should automatically include the CSRF token

Minimizes risk of developer omission leading to CSRF bypass errors

Improves UX and security consistency across the app

Enhances flexibility for future integrations (admin APIs, 3rd-party callbacks)

Scope / Expected Changes:
Create template helper to inject CSRF token into all forms
Register middleware to attach token value into context for Gin templates
Extend cookie configuration (Domain, MaxAge, possibly Strict mode toggle)
Provide opt-out wrapper for safe public endpoints (webhooks)
Update security documentation to reflect new helpers
Add tests for CSRF token presence + POST protection

Non-Goals:

No removal of nosurf middleware

No change to error UI or messaging handling

Risks / Mitigations:

Medium: Touches global middleware and templates
Mitigation: Introduce opt-in behavior first, roll out incrementally

Acceptance Criteria:
All POST-capable templates use automated CSRF field injection
No form requires manual nosurf.Token() calls
Admin + Account forms validated through automated tests
Cookie settings pulled from config for full deploy control
Webhook endpoints function without CSRF interference

Estimated Effort:
Medium (2–4 dev days)

Description: CSRF protection is currently applied globally via nosurf in internal/platform/csrf.Wrap. While this correctly enforces CSRF validation for state-changing requests, template rendering does not automatically include CSRF tokens, requiring manual retrieval in route handlers. Cookie defaults also need tuning for stricter security and configurable behavior. Refining how CSRF tokens are surfaced to templates, and expanding cookie configuration options, will improve both security and developer ergonomics. Current Behavior (as observed in code): csrf.Wrap() correctly wraps SCS.LoadAndSave(router) (good middleware order) Secure + HttpOnly + SameSite=Lax defaults applied CSRF cookie name configurable No built-in mechanism to push tokens into Gin template context Cookie lacks optional attributes (MaxAge, Domain) No ability to selectively disable CSRF for routes such as webhooks or health checks Why this matters: Every POST form should automatically include the CSRF token Minimizes risk of developer omission leading to CSRF bypass errors Improves UX and security consistency across the app Enhances flexibility for future integrations (admin APIs, 3rd-party callbacks) Scope / Expected Changes: ✅ Create template helper to inject CSRF token into all forms ✅ Register middleware to attach token value into context for Gin templates ✅ Extend cookie configuration (Domain, MaxAge, possibly Strict mode toggle) ✅ Provide opt-out wrapper for safe public endpoints (webhooks) ✅ Update security documentation to reflect new helpers ✅ Add tests for CSRF token presence + POST protection Non-Goals: No removal of nosurf middleware No change to error UI or messaging handling Risks / Mitigations: Medium: Touches global middleware and templates ✅ Mitigation: Introduce opt-in behavior first, roll out incrementally Acceptance Criteria: ✅ All POST-capable templates use automated CSRF field injection ✅ No form requires manual nosurf.Token() calls ✅ Admin + Account forms validated through automated tests ✅ Cookie settings pulled from config for full deploy control ✅ Webhook endpoints function without CSRF interference Estimated Effort: Medium (2–4 dev days)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
backend
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 feature
frontend
help wanted
Need some help
 high-priority
invalid
Something is wrong
 low-priority
question
More information is needed
 security
UX
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
H3ALY
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SynLotto/website#15
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?