some experiments with csrf. we probably will not do this.

cmd/liwords-api/main.go

@@ -25,6 +25,7 @@ import (
 	_ "github.com/golang-migrate/migrate/v4/database/postgres"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
 	"github.com/gomodule/redigo/redis"
+	"github.com/gorilla/csrf"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/justinas/alice"
 	"github.com/nats-io/nats.go"
@@ -114,7 +115,7 @@ func main() {
 	if cfg.SecretKey == "" {
 		panic("secret key must be non blank")
 	}
-	if cfg.Debug {
+	if cfg.DebugLogging {
 		zerolog.SetGlobalLevel(zerolog.DebugLevel)
 	} else {
 		zerolog.SetGlobalLevel(zerolog.InfoLevel)
@@ -160,13 +161,24 @@ func main() {
 		panic(err)
 	}
 
+	csrfOptions := []csrf.Option{
+		csrf.Path("/"),
+	}
+
+	if cfg.Dev {
+		log.Info().Msg("in-dev-environment")
+		csrfOptions = append(csrfOptions, csrf.Secure(false))
+	}
+
+	csrf := csrf.Protect([]byte(cfg.SecretKey), csrfOptions...)
+
 	middlewares := alice.New(
 		hlog.NewHandler(log.With().Str("service", "liwords").Logger()),
 		apiserver.ExposeResponseWriterMiddleware,
 		apiserver.AuthenticationMiddlewareGenerator(stores.SessionStore),
 		apiserver.APIKeyMiddlewareGenerator(),
 		config.CtxMiddlewareGenerator(cfg),
-
+		csrf,
 		hlog.AccessHandler(func(r *http.Request, status int, size int, d time.Duration) {
 			path := strings.Split(r.URL.Path, "/")
 			method := path[len(path)-1]

docker-compose.yml

@@ -14,7 +14,8 @@ services:
       DB_PASSWORD: pass
       DB_SSL_MODE: disable
       SECRET_KEY: jqxztripletriple
-      DEBUG: 1
+      DEBUG_LOGGING: 1
+      DEV: 1
       NATS_URL: nats://nats:4222
       REGISTRATION_CODE: foobar
       MAILGUN_KEY: ${MAILGUN_KEY:-default}

go.mod

@@ -80,6 +80,8 @@ require (
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
+	github.com/gorilla/csrf v1.7.2 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect

go.sum

@@ -134,6 +134,10 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
+github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 h1:ad0vkEBuk23VJzZR9nkLVG0YAoN9coASF1GusYX6AlU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0/go.mod h1:igFoXX2ELCW06bol23DWPB5BEWfZISOzSP5K2sbLea0=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=

pkg/config/config.go

@@ -47,7 +47,8 @@ type Config struct {
 
 	TourneyPDFLambdaFunctionName string
 
-	Debug bool
+	DebugLogging bool
+	Dev          bool
 }
 
 type ctxKey string
@@ -64,7 +65,8 @@ func (c *Config) Load(args []string) error {
 
 	fs := flag.NewFlagSet("liwords", flag.ContinueOnError)
 
-	fs.BoolVar(&c.Debug, "debug", false, "debug logging on")
+	fs.BoolVar(&c.DebugLogging, "debug-logging", false, "debug logging on")
+	fs.BoolVar(&c.Dev, "dev", false, "development mode on (false on prod)")
 
 	fs.StringVar(&c.DBHost, "db-host", "", "the database host")
 	fs.StringVar(&c.DBPort, "db-port", "", "the database port")