diff --git a/api/http/middlewares/plaintext_http_request.go b/api/http/middlewares/plaintext_http_request.go new file mode 100644 index 000000000..668346098 --- /dev/null +++ b/api/http/middlewares/plaintext_http_request.go @@ -0,0 +1,36 @@ +package middlewares + +import ( + "net/http" + "slices" + + "github.com/gorilla/csrf" +) + +var ( + // Idempotent (safe) methods as defined by RFC7231 section 4.2.2. + safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"} +) + +type plainTextHTTPRequestHandler struct { + next http.Handler +} + +func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + if slices.Contains(safeMethods, r.Method) { + h.next.ServeHTTP(w, r) + return + } + + req := r + // If original request was HTTPS (via proxy), keep CSRF checks. + if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" { + req = csrf.PlaintextHTTPRequest(r) + } + + h.next.ServeHTTP(w, req) +} + +func PlaintextHTTPRequest(next http.Handler) http.Handler { + return &plainTextHTTPRequestHandler{next: next} +} diff --git a/api/http/server.go b/api/http/server.go index 3b3fff77d..183a78c04 100644 --- a/api/http/server.go +++ b/api/http/server.go @@ -349,7 +349,7 @@ func (server *Server) Start() error { log.Info().Str("bind_address", server.BindAddress).Msg("starting HTTP server") httpServer := &http.Server{ Addr: server.BindAddress, - Handler: handler, + Handler: middlewares.PlaintextHTTPRequest(handler), ErrorLog: errorLogger, } diff --git a/go.mod b/go.mod index 19ebbfa60..3193c560c 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.2 github.com/google/go-cmp v0.6.0 github.com/google/uuid v1.6.0 - github.com/gorilla/csrf v1.7.2 + github.com/gorilla/csrf v1.7.3 github.com/gorilla/mux v1.8.1 github.com/gorilla/websocket v1.5.0 github.com/hashicorp/go-version v1.7.0 @@ -243,7 +243,6 @@ require ( github.com/spf13/cast v1.7.0 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stretchr/objx v0.5.2 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect github.com/theupdateframework/notary v0.7.0 // indirect github.com/tilt-dev/fsnotify v1.4.8-0.20220602155310-fff9c274a375 // indirect diff --git a/go.sum b/go.sum index eed5e28b8..3f4be510b 100644 --- a/go.sum +++ b/go.sum @@ -338,8 +338,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI= -github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk= +github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0= +github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=