fix(csrf): update middleware usage to comply with gorilla/csrf changes (#4343)

Author: erka

.gitignore

@@ -60,3 +60,4 @@ build/mage_output_file.go
 !**/**/testdata/*.rego
 
 release-notes.md
+config/dev.yml

config/flipt.schema.cue

@@ -42,6 +42,7 @@ import "list"
 			state_lifetime: =~#duration | *"10m"
 			csrf?: {
 				key: string
+				secure?:        bool
 			}
 		}
 

config/flipt.schema.json

@@ -84,7 +84,8 @@
             "csrf": {
               "type": "object",
               "properties": {
-                "key": { "type": "string" }
+                "key": { "type": "string" },
+                "secure": { "type": "boolean" }
               },
               "required": []
             }
@@ -1426,8 +1427,7 @@
     "experimental": {
       "type": "object",
       "additionalProperties": false,
-      "properties": {
-      },
+      "properties": {},
       "title": "Experimental"
     }
   }

go.work.sum

@@ -173,10 +173,14 @@ func NewHTTPServer(
 						r = csrf.UnsafeSkipCheck(r)
 					}
 
+					if !cfg.Authentication.Session.CSRF.Secure {
+						r = csrf.PlaintextHTTPRequest(r)
+					}
+
 					handler.ServeHTTP(w, r)
 				})
 			})
-			r.Use(csrf.Protect([]byte(key), csrf.Path("/")))
+			r.Use(csrf.Protect([]byte(key), csrf.Path("/"), csrf.Secure(cfg.Authentication.Session.CSRF.Secure)))
 		}
 
 		r.Mount("/api/v1", api)

internal/cmd/http.go

@@ -134,6 +134,9 @@ func (c *AuthenticationConfig) setDefaults(v *viper.Viper) error {
 		"session": map[string]any{
 			"token_lifetime": "24h",
 			"state_lifetime": "10m",
+			"csrf": map[string]any{
+				"secure": true,
+			},
 		},
 		"methods": methods,
 	})
@@ -241,6 +244,8 @@ type AuthenticationSession struct {
 type AuthenticationSessionCSRF struct {
 	// Key is the private key string used to authenticate csrf tokens.
 	Key string `json:"-" mapstructure:"key"`
+	// Secure signals to the CSRF middleware that the request is being served over TLS or plaintext HTTP
+	Secure bool `json:"secure,omitempty" mapstructure:"secure" yaml:"secure,omitempty"`
 }
 
 // AuthenticationMethods is a set of configuration for each authentication

internal/config/authentication.go

@@ -438,7 +438,8 @@ func stringToEnumHookFunc[T constraints.Integer](mappings map[string]T) mapstruc
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{}) (interface{}, error) {
+		data interface{},
+	) (interface{}, error) {
 		if f.Kind() != reflect.String {
 			return data, nil
 		}
@@ -456,7 +457,8 @@ func experimentalFieldSkipHookFunc(types ...reflect.Type) mapstructure.DecodeHoo
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{}) (interface{}, error) {
+		data interface{},
+	) (interface{}, error) {
 		if len(types) == 0 {
 			return data, nil
 		}
@@ -482,7 +484,8 @@ func stringToEnvsubstHookFunc() mapstructure.DecodeHookFunc {
 	return func(
 		f reflect.Type,
 		t reflect.Type,
-		data interface{}) (interface{}, error) {
+		data interface{},
+	) (interface{}, error) {
 		if f.Kind() != reflect.String || f != reflect.TypeOf("") {
 			return data, nil
 		}
@@ -501,7 +504,8 @@ func stringToSliceHookFunc() mapstructure.DecodeHookFunc {
 	return func(
 		f reflect.Kind,
 		t reflect.Kind,
-		data interface{}) (interface{}, error) {
+		data interface{},
+	) (interface{}, error) {
 		if f != reflect.String || t != reflect.Slice {
 			return data, nil
 		}
@@ -637,6 +641,9 @@ func Default() *Config {
 			Session: AuthenticationSession{
 				TokenLifetime: 24 * time.Hour,
 				StateLifetime: 10 * time.Minute,
+				CSRF: AuthenticationSessionCSRF{
+					Secure: true,
+				},
 			},
 		},
 

internal/config/config.go

@@ -578,7 +578,8 @@ func TestLoad(t *testing.T) {
 								},
 							},
 						},
-					}}
+					},
+				}
 				return cfg
 			},
 		},
@@ -695,7 +696,8 @@ func TestLoad(t *testing.T) {
 						TokenLifetime: 24 * time.Hour,
 						StateLifetime: 10 * time.Minute,
 						CSRF: AuthenticationSessionCSRF{
-							Key: "abcdefghijklmnopqrstuvwxyz1234567890", //gitleaks:allow
+							Key:    "abcdefghijklmnopqrstuvwxyz1234567890", //gitleaks:allow
+							Secure: true,
 						},
 					},
 					Methods: AuthenticationMethods{
@@ -869,7 +871,8 @@ func TestLoad(t *testing.T) {
 						TokenLifetime: 24 * time.Hour,
 						StateLifetime: 10 * time.Minute,
 						CSRF: AuthenticationSessionCSRF{
-							Key: "abcdefghijklmnopqrstuvwxyz1234567890", //gitleaks:allow
+							Key:    "abcdefghijklmnopqrstuvwxyz1234567890", //gitleaks:allow
+							Secure: true,
 						},
 					},
 					Methods: AuthenticationMethods{
@@ -1789,13 +1792,11 @@ func TestGetConfigFile(t *testing.T) {
 	}
 }
 
-var (
-	// add any struct tags to match their camelCase equivalents here.
-	camelCaseMatchers = map[string]string{
-		"requireTLS":   "requireTLS",
-		"discoveryURL": "discoveryURL",
-	}
-)
+// add any struct tags to match their camelCase equivalents here.
+var camelCaseMatchers = map[string]string{
+	"requireTLS":   "requireTLS",
+	"discoveryURL": "discoveryURL",
+}
 
 func TestStructTags(t *testing.T) {
 	configType := reflect.TypeOf(Config{})