fix(csrf): skip trustedorigin for http request and check x-forwarded-proto for reverse proxy [BE-11832] (#713)

2025-07-20 13:59:40 +02:00 · 2025-05-09 13:45:33 +12:00 · 2025-05-09 13:45:33 +12:00 · 4240cbf029
commit 4240cbf029
parent eb28dd4f4e
4 changed files with 40 additions and 4 deletions
--- a/api/http/middlewares/plaintext_http_request.go
+++ b/api/http/middlewares/plaintext_http_request.go
@ -0,0 +1,36 @@
+package middlewares
+
+import (
+	"net/http"
+	"slices"
+
+	"github.com/gorilla/csrf"
+)
+
+var (
+	// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.
+	safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
+)
+
+type plainTextHTTPRequestHandler struct {
+	next http.Handler
+}
+
+func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if slices.Contains(safeMethods, r.Method) {
+		h.next.ServeHTTP(w, r)
+		return
+	}
+
+	req := r
+	// If original request was HTTPS (via proxy), keep CSRF checks.
+	if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {
+		req = csrf.PlaintextHTTPRequest(r)
+	}
+
+	h.next.ServeHTTP(w, req)
+}
+
+func PlaintextHTTPRequest(next http.Handler) http.Handler {
+	return &plainTextHTTPRequestHandler{next: next}
+}