fix: clean invalid csrf cookies (#246)

Author: trim21

csrf/csrf.go

@@ -3,6 +3,7 @@ package csrf
 import (
 	"context"
 	"net/http"
+	"time"
 
 	"github.com/gorilla/securecookie"
 	"github.com/rs/zerolog/log"
@@ -65,6 +66,7 @@ func New() func(http.Handler) http.Handler {
 				Path:     "/",
 				Secure:   true,
 				HttpOnly: true,
+				MaxAge:   int(time.Hour/time.Second) * 24 * 7,
 			})
 
 			next.ServeHTTP(w, r.WithContext(
@@ -86,6 +88,16 @@ func Verify(r *http.Request, token string) bool {
 	return v.UserID == session.GetSession(r.Context()).UserID
 }
 
+func Clear(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     CookiesName,
+		Value:    "",
+		Path:     "/",
+		Secure:   true,
+		HttpOnly: true,
+	})
+}
+
 type cookieValue struct {
 	UserID int32 `json:"user_id"`
 }

episode.go

@@ -333,6 +333,7 @@ func (h *handler) deleteEpisodePatch(w http.ResponseWriter, r *http.Request) err
 	}
 
 	if !csrf.Verify(r, r.PostForm.Get(csrf.FormName)) {
+		csrf.Clear(w)
 		http.Error(w, "csrf failed", http.StatusBadRequest)
 		return nil
 	}

review.go

@@ -16,6 +16,7 @@ func (h *handler) handleReview(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	if !csrf.Verify(r, r.PostForm.Get(csrf.FormName)) {
+		csrf.Clear(w)
 		http.Error(w, "csrf failed", http.StatusBadRequest)
 		return nil
 	}

subject.go

@@ -673,6 +673,7 @@ func (h *handler) deleteSubjectPatch(w http.ResponseWriter, r *http.Request) err
 	}
 
 	if !csrf.Verify(r, r.PostForm.Get(csrf.FormName)) {
+		csrf.Clear(w)
 		http.Error(w, "csrf failed", http.StatusBadRequest)
 		return nil
 	}