Add CSRF to login form; format files

Author: federicotdn

Makefile

@@ -20,6 +20,9 @@ proto:
 format:
 	@goimports -w -l $(GO_SOURCES)
 
+format-web:
+	cd pkg/web/ && npm run format
+
 .PHONY: format-check
 format-check:
 	@out=$$(goimports -l $(GO_SOURCES)) && echo "$$out" && test -z "$$out"

k6/internal/01.quickpizza.js

@@ -6,6 +6,7 @@ import chai, {
 chai.config.exitOnError = true;
 
 const BASE_URL = __ENV.BASE_URL || "http://localhost:3333";
+const CSRF = "NTQyNjg1OTc2"
 
 export const options = {
   vus: 1,
@@ -26,7 +27,7 @@ function randomString(length) {
 
 function testDatabaseCreatedUserLogin() {
   describe("Log in as a user that was already inserted in the DB", () => {
-    let data = {username: "synthetics_multihttp_example", password: "synthetics_multihttp_example"};
+    let data = {username: "synthetics_multihttp_example", password: "synthetics_multihttp_example", csrf: CSRF};
     var res = http.post(`${BASE_URL}/api/users/token/login`, JSON.stringify(data), {
       headers: {
         'Content-Type': 'application/json',
@@ -52,6 +53,7 @@ function testCreateUserLogin() {
 
     expect(res.status, "response status").to.equal(201);
 
+	  data.csrf = CSRF;
     res = http.post(`${BASE_URL}/api/users/token/login`, JSON.stringify(data), {
       headers: {
         'Content-Type': 'application/json',
@@ -66,7 +68,8 @@ function testCreateUserLogin() {
     // Invalid password
     var res = http.post(`${BASE_URL}/api/users/token/login`, JSON.stringify({
       username: username,
-      password: "foo",
+	    password: "foo",
+      csrf: CSRF,
     }), {
       headers: {
         'Content-Type': 'application/json',
@@ -80,6 +83,7 @@ function testCreateUserLogin() {
     res = http.post(`${BASE_URL}/api/users/token/login`, JSON.stringify({
       username: "foo",
       password: "foo",
+      csrf: CSRF,
     }), {
       headers: {
         'Content-Type': 'application/json',
@@ -92,6 +96,7 @@ function testCreateUserLogin() {
     res = http.post(`${BASE_URL}/api/users/token/login`, JSON.stringify({
       username: "default",
       password: "foobar",
+      csrf: CSRF,
     }), {
       headers: {
         'Content-Type': 'application/json',

pkg/http/http.go

@@ -144,6 +144,11 @@ const (
 	authHeader             = "Authorization"
 	cookieName             = "qp_user_token"
 	piDecimals             = "1415926535897932384626433832795028841971693993751058209749445923078164"
+
+	// This should be generated dynamically instead.
+	// For simplicity we have one global one, because for demonstration purposes
+	// this is good enough. Note that this is also hardcoded in the login form's HTML.
+	serverCSRFToken = "NTQyNjg1OTc2"
 )
 
 var authError = errors.New("authentication failed")
@@ -416,7 +421,7 @@ func (s *Server) AddTestK6IO() {
 		"/flip_coin.php":   "test.k6.io/flip_coin.html",
 		"/browser.php":     "test.k6.io/browser.html",
 		"/my_messages.php": "test.k6.io/my_messages.html",
-		"/admin.php": "test.k6.io/admin.html",
+		"/admin.php":       "test.k6.io/admin.html",
 	}
 
 	s.router.Group(func(r chi.Router) {
@@ -878,15 +883,21 @@ func (s *Server) AddCatalogHandler(db *database.Catalog) {
 		// token, and return the user token (if credentials are valid).
 		r.Post("/api/users/token/login", func(w http.ResponseWriter, r *http.Request) {
 			type loginData struct {
-				Username string `json:"username"`
-				Password string `json:"password"`
+				Username  string `json:"username"`
+				Password  string `json:"password"`
+				CSRFToken string `json:"csrf"`
 			}
 			var data loginData
 
 			if s.decodeJSONBody(w, r, &data) != nil {
 				return
 			}
 
+			if data.CSRFToken != serverCSRFToken {
+				s.writeJSONErrorResponse(w, r, errors.New("invalid csrf token"), http.StatusUnauthorized)
+				return
+			}
+
 			user, err := db.LoginUser(r.Context(), data.Username, data.Password)
 			if err != nil {
 				s.log.ErrorContext(r.Context(), "Failed to login user", "err", err)

pkg/web/src/routes/login/+page.svelte

@@ -24,7 +24,11 @@
 	async function handleSubmit() {
 		const res = await fetch(`${PUBLIC_BACKEND_ENDPOINT}api/users/token/login?set_cookie=1`, {
 			method: 'POST',
-			body: JSON.stringify({ username: username, password: password }),
+			body: JSON.stringify({
+				username: username,
+				password: password,
+				csrf: document.getElementById('csrf-token').value
+			}),
 			credentials: 'same-origin'
 		});
 		if (!res.ok) {
@@ -112,6 +116,7 @@
 						QuickPizza User Login
 					</h1>
 					<form class="space-y-4 md:space-y-6" on:submit|preventDefault={handleSubmit}>
+						<input type="hidden" name="csrftoken" id="csrf-token" value="NTQyNjg1OTc2" />
 						<div>
 							<label for="text" class="block mb-2 text-sm font-medium text-gray-900"
 								>Username (hint: default)</label

pkg/web/test.k6.io/admin.html

@@ -1,40 +1,42 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-<head>
-<title>My messages</title>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<link rel="icon" href="/test.k6.io/static/favicon.ico" sizes="32x32">
-</head>
-<body>
+	<head>
+		<title>My messages</title>
+		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+		<link rel="icon" href="/test.k6.io/static/favicon.ico" sizes="32x32" />
+	</head>
+	<body>
+		<p><a href="/test.k6.io/">&lt; Back</a></p>
 
-<p><a href="/test.k6.io/">&lt; Back</a></p>
+		<h2>Welcome, admin!</h2>
 
-<h2>Welcome, admin!</h2>
-
-<table cellpadding="3" cellspacing="0" border="1" width="50%">
-<tr>
-  <td width="1%"><b>#</b></td><td><b>From:</b></td><td><b>Subject:</b></td>
-</tr>
-<tr>
-<tr>
-  <td>1</td>
-  <td>DenyHosts</td>
-  <td>DenyHosts report on test.k6.io</td>
-  </tr><tr>
-  <td>2</td>
-  <td>Twitter</td>
-  <td>Grafana is now following you on Mastodon</td>
-  </tr><tr>
-  <td>3</td>
-  <td>Mail Delivery Subsystem</td>
-  <td>Delivery Status Notification (Failure)</td>
-  </tr></tr>
-</table>
-<br>
-<form method="POST" action="/my_messages.php">
-<input type="hidden" name="redir" value="1">
-<input type="hidden" name="csrftoken" value="c3p8Mjtu1K7EbYTm">
-<input type="submit" value="Logout">
-</form>
-</body>
+		<table cellpadding="3" cellspacing="0" border="1" width="50%">
+			<tr>
+				<td width="1%"><b>#</b></td>
+				<td><b>From:</b></td>
+				<td><b>Subject:</b></td>
+			</tr>
+			<tr>
+				<td>1</td>
+				<td>DenyHosts</td>
+				<td>DenyHosts report on test.k6.io</td>
+			</tr>
+			<tr>
+				<td>2</td>
+				<td>Twitter</td>
+				<td>Grafana is now following you on Mastodon</td>
+			</tr>
+			<tr>
+				<td>3</td>
+				<td>Mail Delivery Subsystem</td>
+				<td>Delivery Status Notification (Failure)</td>
+			</tr>
+		</table>
+		<br />
+		<form method="POST" action="/my_messages.php">
+			<input type="hidden" name="redir" value="1" />
+			<input type="hidden" name="csrftoken" value="c3p8Mjtu1K7EbYTm" />
+			<input type="submit" value="Logout" />
+		</form>
+	</body>
 </html>