Updated README

Added CSRF Protection to login, /api/reset functions Added auto highlighting of API key when clicked
2014-02-03 17:21:56 -06:00 · 2014-02-03 17:21:56 -06:00 · e0e15221b1
parent ca884fd384
commit e0e15221b1
6 changed files with 19 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ Until then, you can keep up-to-date with development news and articles on [my bl
 Installation of gophish is dead-simple - once the binaries are released (coming soon!), just download and extract the zip, and run the binary. Gophish will have binary releases for all platforms.

 ###Setup
-After running the gophish binary, open an Internet browser to http://localhost:3333 and follow the setup instructions.
+After running the gophish binary, open an Internet browser to http://localhost:3333 and login with the default username (admin) and password (gophish).

 ###License
 gophish - Open-Source Phishing Framework
--- a/controllers/api.go
+++ b/controllers/api.go
@ -34,7 +34,7 @@ func API(w http.ResponseWriter, r *http.Request) {
 // API (/api/reset) resets a user's API key
 func API_Reset(w http.ResponseWriter, r *http.Request) {
 	switch {
-	case r.Method == "GET":
+	case r.Method == "POST":
 		u := ctx.Get(r, "user").(models.User)
 		// Inspired from gorilla/securecookie
 		k := make([]byte, 32)
--- a/controllers/route.go
+++ b/controllers/route.go
@ -11,11 +11,12 @@ import (
 	"github.com/jordan-wright/gophish/auth"
 	mid "github.com/jordan-wright/gophish/middleware"
 	"github.com/jordan-wright/gophish/models"
+	"github.com/justinas/nosurf"
 )

 var templateDelims = []string{"{{%", "%}}"}

-func CreateRouter() *mux.Router {
+func CreateRouter() *nosurf.CSRFHandler {
 	router := mux.NewRouter()
 	// Base Front-end routes
 	router.HandleFunc("/login", Login)
@ -37,7 +38,12 @@ func CreateRouter() *mux.Router {

 	//Setup static file serving
 	router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/")))
-	return router
+
+	//Setup CSRF Protection
+	csrfHandler := nosurf.New(router)
+	csrfHandler.ExemptGlob("/api/*")
+	csrfHandler.ExemptGlob("/static/*")
+	return csrfHandler
 }

 // Use allows us to stack middleware to process the request
@ -113,7 +119,8 @@ func Login(w http.ResponseWriter, r *http.Request) {
 		User    models.User
 		Title   string
 		Flashes []interface{}
-	}{Title: "Login"}
+		Token   string
+	}{Title: "Login", Token: nosurf.Token(r)}
 	session := ctx.Get(r, "session").(*sessions.Session)
 	switch {
 	case r.Method == "GET":
--- a/templates/api_doc.html
+++ b/templates/api_doc.html
@ -1,4 +1,4 @@
-{{%define "content"%}} {{%template "nav"%}}
+{{%define "content"%}} {{%template "nav" .User%}}
 <div class="jumbotron">
    <div class="container" style="text-align:center;">
        <h1 class="sans header">
--- a/templates/login.html
+++ b/templates/login.html
@ -9,6 +9,7 @@
        <label class="checkbox">
            <input type="checkbox" value="remember-me">Remember me
        </label>
+        <input type="hidden" name="csrf_token" value={{%.Token%}}/>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
    </form>
 </div>
--- a/templates/settings.html
+++ b/templates/settings.html
@ -38,10 +38,12 @@
                </p>
            </div>
            <div class="col-md-6">
-                <input type="text" value="{{%.User.APIKey%}}" class="form-control" readonly/>
+                <input type="text" onclick="this.select();" value="{{%.User.APIKey%}}" class="form-control" readonly/>
            </div>
-            <a href="/api/reset">
-            <button class="btn btn-primary"><i class="fa fa-refresh"></i> Reset</button>
+            <form action="/api/reset" method="POST">
+                <button class="btn btn-primary"><i class="fa fa-refresh" type="submit"></i> Reset</button>
+                <input type="hidden" name="csrf_token" value={{%.Token%}}/>
+            </form>
            </a>
        </div>
        <br />