Refined CSRF Protection Exempt Glob (/api/* to /api/*/*) to provide CSRF protection /api/reset

Added stub for /api/campaigns/:id/launch
2014-02-03 23:41:31 -06:00 · 2014-02-03 23:41:31 -06:00 · 7045c7f3e2
parent e0e15221b1
commit 7045c7f3e2
3 changed files with 8 additions and 2 deletions
--- a/controllers/api.go
+++ b/controllers/api.go
@ -126,6 +126,10 @@ func API_Campaigns_Id(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func API_Campaigns_Id_Launch(w http.ResponseWriter, r *http.Request) {
+	http.Redirect(w, r, "/", 302)
+}
+
 // API_Groups returns details about the requested group. If the campaign is not
 // valid, API_Groups returns null.
 func API_Groups(w http.ResponseWriter, r *http.Request) {
--- a/controllers/route.go
+++ b/controllers/route.go
@ -33,6 +33,7 @@ func CreateRouter() *nosurf.CSRFHandler {
 	api.HandleFunc("/reset", Use(API_Reset, mid.RequireLogin))
 	api.HandleFunc("/campaigns", Use(API_Campaigns, mid.RequireAPIKey))
 	api.HandleFunc("/campaigns/{id:[0-9]+}", Use(API_Campaigns_Id, mid.RequireAPIKey))
+	api.HandleFunc("/campaigns/id:[0-9]+}", Use(API_Campaigns_Id_Launch, mid.RequireAPIKey))
 	api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
 	api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))

@ -41,7 +42,7 @@ func CreateRouter() *nosurf.CSRFHandler {

 	//Setup CSRF Protection
 	csrfHandler := nosurf.New(router)
-	csrfHandler.ExemptGlob("/api/*")
+	csrfHandler.ExemptGlob("/api/*/*")
 	csrfHandler.ExemptGlob("/static/*")
 	return csrfHandler
 }
@ -98,8 +99,10 @@ func Settings(w http.ResponseWriter, r *http.Request) {
 		User    models.User
 		Title   string
 		Flashes []interface{}
+		Token   string
 	}{Title: "Settings", User: ctx.Get(r, "user").(models.User)}
 	session := ctx.Get(r, "session").(*sessions.Session)
+	params.Token = nosurf.Token(r)
 	params.Flashes = session.Flashes()
 	session.Save(r, w)
 	getTemplate(w, "settings").ExecuteTemplate(w, "base", params)
--- a/templates/settings.html
+++ b/templates/settings.html
@ -44,7 +44,6 @@
                <button class="btn btn-primary"><i class="fa fa-refresh" type="submit"></i> Reset</button>
                <input type="hidden" name="csrf_token" value={{%.Token%}}/>
            </form>
-            </a>
        </div>
        <br />
        <button class="btn btn-primary">Save</button>