[server] Add CSRF protection with nosurf middleware

infogulch · infogulch · commit dd33ecd8fdf7 · 2025-09-09T13:34:09.000-05:00
This commit integrates the nosurf middleware for CSRF protection,
updates the DotFlush and DotReq structs to include a Token method for
accessing CSRF tokens, and adjusts the request context handling to
support the middleware.
diff --git a/dot_flush.go b/dot_flush.go
@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"strings"
 	"time"
+
+	"github.com/justinas/nosurf"
 )
 
 type dotFlushProvider struct{}
@@ -18,7 +20,7 @@ func (dotFlushProvider) Value(r Request) (any, error) {
 	if !ok {
 		return &DotFlush{}, fmt.Errorf("response writer could not cast to http.Flusher")
 	}
-	return &DotFlush{flusher: f, serverCtx: r.ServerCtx, requestCtx: r.R.Context()}, nil
+	return &DotFlush{flusher: f, serverCtx: r.ServerCtx, request: r.R}, nil
 }
 
 func (dotFlushProvider) Cleanup(v any, err error) error {
@@ -37,8 +39,9 @@ type flusher interface {
 
 // DotFlush is used as the .Flush field for flushing template handlers (SSE).
 type DotFlush struct {
-	flusher               flusher
-	serverCtx, requestCtx context.Context
+	flusher   flusher
+	serverCtx context.Context
+	request   *http.Request
 }
 
 // SendSSE sends an sse message by formatting the provided args as an sse event:
@@ -105,7 +108,7 @@ func (f *DotFlush) Repeat(max_ ...int) <-chan int {
 	loop:
 		for {
 			select {
-			case <-f.requestCtx.Done():
+			case <-f.request.Context().Done():
 				break loop
 			case <-f.serverCtx.Done():
 				break loop
@@ -125,7 +128,7 @@ func (f *DotFlush) Repeat(max_ ...int) <-chan int {
 func (f *DotFlush) Sleep(ms int) (string, error) {
 	select {
 	case <-time.After(time.Duration(ms) * time.Millisecond):
-	case <-f.requestCtx.Done():
+	case <-f.request.Context().Done():
 		return "", ReturnError{}
 	case <-f.serverCtx.Done():
 		return "", ReturnError{}
@@ -137,9 +140,13 @@ func (f *DotFlush) Sleep(ms int) (string, error) {
 // client or until the server closes.
 func (f *DotFlush) WaitForServerStop() (string, error) {
 	select {
-	case <-f.requestCtx.Done():
+	case <-f.request.Context().Done():
 		return "", ReturnError{}
 	case <-f.serverCtx.Done():
 		return "", nil
 	}
 }
+
+func (f *DotFlush) Token() string {
+	return nosurf.Token(f.request)
+}
diff --git a/dot_req.go b/dot_req.go
@@ -3,6 +3,8 @@ package xtemplate
 import (
 	"context"
 	"net/http"
+
+	"github.com/justinas/nosurf"
 )
 
 type dotReqProvider struct{}
@@ -29,3 +31,7 @@ var _ DotConfig = dotReqProvider{}
 type DotReq struct {
 	*http.Request
 }
+
+func (d DotReq) Token() string {
+	return nosurf.Token(d.Request)
+}
diff --git a/go.mod b/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4
 	github.com/google/uuid v1.6.0
 	github.com/infogulch/watch v0.2.0
+	github.com/justinas/nosurf v1.2.0
 	github.com/klauspost/compress v1.18.0
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/nats-io/nats-server/v2 v2.10.24
diff --git a/go.sum b/go.sum
@@ -308,6 +308,8 @@ github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/justinas/nosurf v1.2.0 h1:yMs1bSRrNiwXk4AS6n8vL2Ssgpb9CB25T/4xrixaK0s=
+github.com/justinas/nosurf v1.2.0/go.mod h1:ALpWdSbuNGy2lZWtyXdjkYv4edL23oSEgfBT1gPJ5BQ=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
diff --git a/instance.go b/instance.go
@@ -20,6 +20,7 @@ import (
 
 	"github.com/Masterminds/sprig/v3"
 	"github.com/felixge/httpsnoop"
+	"github.com/justinas/nosurf"
 	"github.com/spf13/afero"
 
 	"github.com/google/uuid"
@@ -251,17 +252,17 @@ func (instance *Instance) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	log := instance.config.Logger.With(slog.Group("serve",
 		slog.String("requestid", rid),
 	))
-	log.LogAttrs(r.Context(), slog.LevelDebug, "serving request",
+	log.LogAttrs(ctx, slog.LevelDebug, "serving request",
 		slog.String("user-agent", r.Header.Get("User-Agent")),
 		slog.String("method", r.Method),
 		slog.String("requestPath", r.URL.Path),
 	)
-	ctx = context.WithValue(ctx, loggerKey, log)
 
-	r = r.WithContext(ctx)
-	metrics := httpsnoop.CaptureMetrics(instance.router, w, r)
+	metrics := httpsnoop.CaptureMetricsFn(w, func(ww http.ResponseWriter) {
+		nosurf.New(instance.router).ServeHTTP(ww, r.WithContext(context.WithValue(ctx, loggerKey, log)))
+	})
 
-	log.LogAttrs(r.Context(), levelDebug2, "request served",
+	log.LogAttrs(ctx, levelDebug2, "request served",
 		slog.Group("response",
 			slog.Duration("duration", metrics.Duration),
 			slog.Int("statusCode", metrics.Code),
