Implement CSRF protection

This commit adds CSRF protection based on the gorilla/csrf package. Node dependencies have been updated. Logging uses sirupsen/logrus for log level support now.
2020-12-05 19:46:15 +01:00 · 2020-12-05 19:46:15 +01:00 · 1f8c44689e
commit 1f8c44689e
parent e13c9d174b
6 changed files with 7088 additions and 710 deletions
--- a/templates/index.html
+++ b/templates/index.html
@ -6,7 +6,7 @@

    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="css/styles.min.css"
-          integrity="sha384-z6vVrRFOae08oK23yt6itLI8bfPDebhJw60IbTu43zFoAELolv/CiNUBScry21Fa" crossorigin="anonymous">
+          integrity="sha384-vKuz4xd0kXa+x9wRdibDAVE8gXC/1up2T9QVSas8Rk07AZhzOzbwFdj00XUjOO4i" crossorigin="anonymous">
    <meta name="theme-color" content="#ffffff">

    <title>{{ .Title }}</title>
@ -17,6 +17,7 @@
    <div class="row">
        <div class="col-12">
            <form id="csr-form">
+                {{ .csrfField }}
                <div class="form-group">
                    <label for="nameInput">{{ .NameLabel }}</label>
                    <input type="text" class="form-control" id="nameInput" aria-describedby="nameHelp" required
@ -79,7 +80,7 @@
 <script src="js/i18next.min.js" integrity="sha384-Juj1kpjwKBUTV6Yp9WHG4GdeoMxCmx0zBN9SkwlyrAh5QYWb3l4WrfG7oTv/b00a"
        crossorigin="anonymous"></script>
 <script>
-    async function postData(url = '', data = {}) {
+    async function postData(url = '', data = {}, csrfToken) {
        const response = await fetch(url, {
            method: 'POST',
            mode: 'cors',
@ -87,6 +88,7 @@
            credentials: 'same-origin',
            headers: {
                'Content-Type': 'application/json',
+                'X-CSRF-Token': csrfToken,
            },
            redirect: "error",
            referrerPolicy: "no-referrer",
@ -104,6 +106,7 @@
        document.getElementById('csr-form').onsubmit = function (event) {
            const subject = event.target["nameInput"].value;
            const password = event.target["passwordInput"].value;
+            const csrfToken = event.target["csrfToken"].value;
            const keySize = parseInt(event.target["keySize"].value);
            if (isNaN(keySize)) {
                return false;
@ -145,7 +148,7 @@
                        const sendButton =
                            document.getElementById("send-button");
                        sendButton.addEventListener("click", function () {
-                            postData("/sign/", {"csr": csrPem, "commonName": subject})
+                            postData("/sign/", {"csr": csrPem, "commonName": subject}, csrfToken)
                                .then(data => {
                                    console.log(data);
                                    document.getElementById("crt").innerHTML = data["certificate"];