Added optional csrf_key to config to better support H/A configurations. Fixes #1816. Fixes #1820.

config/config.go

@@ -2,8 +2,9 @@ package config
 
 import (
 	"encoding/json"
-	log "github.com/gophish/gophish/logger"
 	"io/ioutil"
+
+	log "github.com/gophish/gophish/logger"
 )
 
 // AdminServer represents the Admin server configuration details
@@ -12,6 +13,7 @@ type AdminServer struct {
 	UseTLS    bool   `json:"use_tls"`
 	CertPath  string `json:"cert_path"`
 	KeyPath   string `json:"key_path"`
+	CSRFKey   string `json:"csrf_key"`
 }
 
 // PhishServer represents the Phish server configuration details

config/config_test.go

@@ -62,6 +62,7 @@ func TestLoadConfig(t *testing.T) {
 	}
 	expectedConfig.MigrationsPath = expectedConfig.MigrationsPath + expectedConfig.DBName
 	expectedConfig.TestFlag = false
+	expectedConfig.AdminConf.CSRFKey = ""
 	if !reflect.DeepEqual(expectedConfig, conf) {
 		t.Fatalf("invalid config received. expected %#v got %#v", expectedConfig, conf)
 	}

controllers/route.go

@@ -138,7 +138,11 @@ func (as *AdminServer) registerRoutes() {
 	router.PathPrefix("/").Handler(http.FileServer(unindexed.Dir("./static/")))
 
 	// Setup CSRF Protection
-	csrfHandler := csrf.Protect([]byte(util.GenerateSecureKey()),
+	csrfKey := []byte(as.config.CSRFKey)
+	if len(csrfKey) == 0 {
+		csrfKey = []byte(util.GenerateSecureKey())
+	}
+	csrfHandler := csrf.Protect(csrfKey,
 		csrf.FieldName("csrf_token"),
 		csrf.Secure(as.config.UseTLS))
 	adminHandler := csrfHandler(router)