From 2936dc87d074e6d83147c9e6cf4ae8bac4e4af8d Mon Sep 17 00:00:00 2001
From: Daniel Schalla <daniel@schalla.me>
Date: Thu, 2 Aug 2018 00:16:04 +0200
Subject: CSRF Token Implementation for Plugins (#9192)

deleted test config

fix test config

Dont wipe the session token for plugins

Simplified Tokens; Generate CSRF for other sessions

Remove CSRF from Access Token; Remove Getter/Setter from Context

fix removed setter

remove getcsrf helper from plugin api

enforce csrf only for cookie auth
---
 model/session.go      | 14 ++++++++++++++
 model/session_test.go | 15 +++++++++++++++
 2 files changed, 29 insertions(+)

(limited to 'model')

diff --git a/model/session.go b/model/session.go
index 7c6bbe06d..d59e9b183 100644
--- a/model/session.go
+++ b/model/session.go
@@ -135,6 +135,20 @@ func (me *Session) GetUserRoles() []string {
 	return strings.Fields(me.Roles)
 }
 
+func (me *Session) GenerateCSRF() string {
+	token := NewId()
+	me.AddProp("csrf", token)
+	return token
+}
+
+func (me *Session) GetCSRF() string {
+	if me.Props == nil {
+		return ""
+	}
+
+	return me.Props["csrf"]
+}
+
 func SessionsToJson(o []*Session) string {
 	if b, err := json.Marshal(o); err != nil {
 		return "[]"
diff --git a/model/session_test.go b/model/session_test.go
index 5f4a4730d..bf32d2f09 100644
--- a/model/session_test.go
+++ b/model/session_test.go
@@ -63,3 +63,18 @@ func TestSessionJson(t *testing.T) {
 
 	session.SetExpireInDays(10)
 }
+
+func TestSessionCSRF(t *testing.T) {
+	s := Session{}
+	token := s.GetCSRF()
+	assert.Empty(t, token)
+
+	token = s.GenerateCSRF()
+	assert.NotEmpty(t, token)
+
+	token2 := s.GetCSRF()
+	assert.NotEmpty(t, token2)
+	assert.Equal(t, token, token2)
+}
+
+
-- 
cgit v1.2.3-1-g7c22