xtablo-source/backend/internal/web/ui/csrf_field.templ at 389e1bc8b417ead6d2682f4b1a5e3387ce28d60b - arthur/xtablo-source - Forgejo: Beyond coding. We Forge.

arthur/xtablo-source

Arthur Belleville 389e1bc8b4

feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key

- auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options
- auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error
- ui.CSRFField(token) templ component renders hidden _csrf input
- Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken)
- Handlers thread csrf.Token(r) into every page/fragment render call
- NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24)
- main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET
- SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction
- go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper
- All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens

2026-05-14 22:59:06 +02:00

9 lines

345 B

Text

Raw Blame History

 package ui
 // CSRFField renders the hidden CSRF token input required by gorilla/csrf.
 // Every <form method="POST"> must include @ui.CSRFField(csrfToken) as its
 // first child so that the middleware can validate the double-submit cookie
 // (D-15, AUTH-06).
 templ CSRFField(token string) {
 	<input type="hidden" name="_csrf" value={ token }/>
 }