portainer/api/http/middlewares/plaintext_http_request.go

package middlewares

import (
	"net/http"
	"slices"

	"github.com/gorilla/csrf"
)

var (
	// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.
	safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
)

type plainTextHTTPRequestHandler struct {
	next http.Handler
}

func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	if slices.Contains(safeMethods, r.Method) {
		h.next.ServeHTTP(w, r)
		return
	}

	req := r
	// If original request was HTTPS (via proxy), keep CSRF checks.
	if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {
		req = csrf.PlaintextHTTPRequest(r)
	}

	h.next.ServeHTTP(w, req)
}

func PlaintextHTTPRequest(next http.Handler) http.Handler {
	return &plainTextHTTPRequestHandler{next: next}
}
fix(csrf): skip the trusted origins check for plain-text HTTP requests BE-11832 (#710) Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com> Co-authored-by: oscarzhou <oscar.zhou@portainer.io> 2025-05-08 23:39:29 -03:00			`package middlewares`

			`import (`
			`"net/http"`
			`"slices"`

			`"github.com/gorilla/csrf"`
			`)`

			`var (`
			`// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.`
			`safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}`
			`)`

			`type plainTextHTTPRequestHandler struct {`
			`next http.Handler`
			`}`

			`func (h plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`if slices.Contains(safeMethods, r.Method) {`
			`h.next.ServeHTTP(w, r)`
			`return`
			`}`

			`req := r`
			`// If original request was HTTPS (via proxy), keep CSRF checks.`
			`if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {`
			`req = csrf.PlaintextHTTPRequest(r)`
			`}`

			`h.next.ServeHTTP(w, req)`
			`}`

			`func PlaintextHTTPRequest(next http.Handler) http.Handler {`
			`return &plainTextHTTPRequestHandler{next: next}`
			`}`