Skip to content

CSRF Protection Added #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Sharath-a26 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

CSRF Protection Added #24

Sharath-a26 wants to merge 5 commits into from

Conversation

@Sharath-a26
Copy link

@Sharath-a26 Sharath-a26 commented Oct 29, 2025

  • A 32-bit CSRF Token will be generated when logged in. Added to both response X-CSRF-Token header and to the cookie.
  • Requests that are not authenticated i.e Login, Register etc. need not pass the token in header
  • Created a middleware CSRFMiddleWare in util to check whether cookie and header token matches.

@Sharath-a26
Copy link
Author

Sharath-a26 commented Oct 29, 2025

@Ashrockzzz2003 Please review and let me know If I need to make any changes

@Ashrockzzz2003 Ashrockzzz2003 self-requested a review October 29, 2025 17:38
@Ashrockzzz2003 Ashrockzzz2003 linked an issue Oct 29, 2025 that may be closed by this pull request
Add CSRF protection as we're using cookies! #14
Open
Ashrockzzz2003
Ashrockzzz2003 requested changes Oct 29, 2025
View reviewed changes
Copy link
Member

@Ashrockzzz2003 Ashrockzzz2003 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we hide it behind a feature flag (env var)?
the other evoc services make requests to this auth and they might not work without changes there.

@Sharath-a26
Copy link
Author

Sharath-a26 commented Oct 29, 2025

Sure, so if that var is set to false, the whole CSRF is disabled. Something like that right?

@Ashrockzzz2003
Copy link
Member

Ashrockzzz2003 commented Oct 29, 2025

Yes

@Sharath-a26
Copy link
Author

Sharath-a26 commented Oct 29, 2025

Done with that change @Ashrockzzz2003

@Ashrockzzz2003 Ashrockzzz2003 self-requested a review October 30, 2025 08:34
Ashrockzzz2003
Ashrockzzz2003 requested changes Oct 31, 2025
View reviewed changes
Copy link
Member

@Ashrockzzz2003 Ashrockzzz2003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sharath
But you need to add csrf to controller/grpc/authenticate.go too as this is the function that'll be called via grpc by other microservices to authenticate requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ashrockzzz2003 Ashrockzzz2003 Ashrockzzz2003 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@Sharath-a26 Sharath-a26

Labels

hacktoberfest-accepted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add CSRF protection as we're using cookies!

2 participants

@Sharath-a26 @Ashrockzzz2003