Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date.

[wxiaoguang]

The CSRF protection modules have been broken for a while. For example, comment said: // Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token., however, it doesn't!! That's why a lot of users complain about their work lost.

Related issues:

• Invalid CSRF token issues - unable to recover submitted data #17850
• Show login form and redo action if successful login when trying to comment on an issue where session has timed out. #17282
• Logged out while editing #11797
• Updated text lost on Save when editing existing issue #19126

And maybe more.

This PR does a refactoring to the CSRF related code, removes most unnecessary functions.

It introduces ParseCsrfToken to parse the generated token's issue time, and regenerate the token every minute.

And it fixes some incorrect code in old code, for example: ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()), the EscapeString is incorrect.

The error handling logic in Validate has been simplified, remove many duplicate code.

Totally this PR is +119 −195

[zeripath]

I wonder if it would make sense to move this into a separate package?

[zeripath]

This seems far too frequent. Perhaps this should be hourly?

[wxiaoguang]

This seems far too frequent. Perhaps this should be hourly?

It doesn't matter, it's just a simple hash when generating the token, doesn't cost more resources than other logic.

And the generated token is valid for the next 24 hours, so there should be no problem.

Indeed we can keep generating new tokens on every request, there will still be no performance problem. I just introduced this mechanism in case someone doesn't like generating the tokens (and sending cookies) again and again.

[zeripath]

Can this really be negative?

[wxiaoguang]

Can this really be negative?

For example, the server time changed a lot? Personally I prefer to check the [-duration, duration] range

[wxiaoguang]

ps: if issueTime can be guaranteed to be a monotonic clock, then we do not check the negative range. Checking the negative is not wrong because the issueTime might come from other packages and be refactored.

If you prefer to remove the negative check, it might can be done. However, I think it requires the code to store the mono clock in token, instead of a simple UnixNano ..... currently, issueTime := time.Unix(0, nanos) is a non-monotonic clock

[wxiaoguang]

I wonder if it would make sense to move this into a separate package?

What's the preferred package name and package path?

[silverwind]

What's the preferred package name and package path?

modules/csrf maybe? Not sure if that's what @zeripath means.

[wxiaoguang]

What's the preferred package name and package path?

modules/csrf maybe? Not sure if that's what @zeripath means.

I do not think csrf can be a proper package name. CSRF means Cross site request forgery, it's an attack vector/method. The package is protecting against CSRF attack.

[silverwind]

It's code to handle CSRF, seems pretty clear to me. And a short name is easy to work with.

[wxiaoguang]

TBH, I still think the name csrf is not ideal enough.

And this PR has done what it should do. Moving code into a new package is too much for this PR. Reasons:

1. If we do moving code and changing code at the same time, this PR would become more difficult to be reviewed, and it may introduce potential bugs.
2. Moving code into a new package is not an easy work at the moment. Because modules/context.go need modules/csrf.go and csrf also needs context. Without more related refactoring, there will be a cycle-import error, the downside of Golang. For reason 1, it's not ideal to make these more argument renaming/changing refactoring into this PR.

@zeripath @silverwind