diff --git a/api/csrf.go b/api/csrf.go deleted file mode 100644 index 4377ee343..000000000 --- a/api/csrf.go +++ /dev/null @@ -1,48 +0,0 @@ -package main - -import ( - "github.com/gorilla/csrf" - "github.com/gorilla/securecookie" - "io/ioutil" - "log" - "net/http" -) - -const keyFile = "authKey.dat" - -// newAuthKey reuses an existing CSRF authkey if present or generates a new one -func newAuthKey(path string) []byte { - var authKey []byte - authKeyPath := path + "/" + keyFile - data, err := ioutil.ReadFile(authKeyPath) - if err != nil { - log.Print("Unable to find an existing CSRF auth key. Generating a new key.") - authKey = securecookie.GenerateRandomKey(32) - err := ioutil.WriteFile(authKeyPath, authKey, 0644) - if err != nil { - log.Fatal("Unable to persist CSRF auth key.") - log.Fatal(err) - } - } else { - authKey = data - } - return authKey -} - -// newCSRF initializes a new CSRF handler -func newCSRFHandler(keyPath string) func(h http.Handler) http.Handler { - authKey := newAuthKey(keyPath) - return csrf.Protect( - authKey, - csrf.HttpOnly(false), - csrf.Secure(false), - ) -} - -// newCSRFWrapper wraps a http.Handler to add the CSRF token -func newCSRFWrapper(h http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("X-CSRF-Token", csrf.Token(r)) - h.ServeHTTP(w, r) - }) -} diff --git a/api/handler.go b/api/handler.go index f0d902659..e8d7ad831 100644 --- a/api/handler.go +++ b/api/handler.go @@ -10,7 +10,7 @@ import ( "os" ) -// newHandler creates a new http.Handler with CSRF protection +// newHandler creates a new http.Handler func (a *api) newHandler(settings *Settings) http.Handler { var ( mux = mux.NewRouter() @@ -37,14 +37,9 @@ func (a *api) newHandler(settings *Settings) http.Handler { mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) { templatesHandler(w, r, a.templatesURL) }) - // mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", handler)) mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", addMiddleware(handler, a.authenticate, secureHeaders))) - mux.PathPrefix("/").Handler(http.StripPrefix("/", fileHandler)) - // CSRF protection is disabled for the moment - // CSRFHandler := newCSRFHandler(a.dataPath) - // return CSRFHandler(newCSRFWrapper(mux)) return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { mux.ServeHTTP(w, r) }) diff --git a/app/app.js b/app/app.js index 144f407d8..ea6c6c24c 100644 --- a/app/app.js +++ b/app/app.js @@ -464,8 +464,6 @@ angular.module('portainer', [ }); // The Docker API likes to return plaintext errors, this catches them and disp - // $httpProvider.defaults.xsrfCookieName = 'csrfToken'; - // $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'; $httpProvider.interceptors.push(function() { return { 'response': function(response) { @@ -477,11 +475,6 @@ angular.module('portainer', [ time: 10000 }); } - // CSRF protection is disabled for the moment - // var csrfToken = response.headers('X-Csrf-Token'); - // if (csrfToken) { - // document.cookie = 'csrfToken=' + csrfToken; - // } return response; } };