fix(csrf): mark requests as plaintext when SecureCookies=false#2
Open
syswave-dev wants to merge 1 commit intojonradoff:mainfrom
Open
fix(csrf): mark requests as plaintext when SecureCookies=false#2syswave-dev wants to merge 1 commit intojonradoff:mainfrom
syswave-dev wants to merge 1 commit intojonradoff:mainfrom
Conversation
gorilla/csrf v1.7.x defaults the assumed request scheme to https for Origin validation. With secure_cookies: false (HTTP dev mode), the browser sends Origin: http://localhost:8082 but the middleware compares against https://localhost:8082, causing scheme mismatch and ErrBadOrigin on every POST. csrf.Secure(false) only controls the cookie's Secure flag, not the Origin check. Wrapping the middleware to call csrf.PlaintextHTTPRequest(r) before validation resolves the issue without affecting production deployments where SecureCookies=true. Verified locally: Ubuntu 22.04, Go 1.24, MongoDB 7.0 replica set, LightCMS v6.0.2 dev mode. /cm/login POST now succeeds where it previously returned 403. Refs jonradoff#1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1.
Problem
Login via
/cm/loginreturns403 Invalid or missing CSRF tokenon every POST when running locally withsecure_cookies: false. Root cause is in the gorilla/csrf v1.7.x Origin validation behavior described in detail in #1.Fix
Wrap the CSRF middleware to mark every request as plaintext via
csrf.PlaintextHTTPRequest(r)before validation runs, but only whencfg.SecureCookiesis false. Production deployments withSecureCookies=trueare byte-for-byte unchanged.Verification
/cm/loginreturns 403 with the CSRF error.Scope
cmd/server/main.go.if !cfg.SecureCookies { ... }— production with secure cookies is byte-for-byte unchanged.Notes
Bug analysis was assisted by Claude Code, which traced the gorilla/csrf middleware chain and identified the scheme-comparison logic. The fix itself is stock library API usage (
csrf.PlaintextHTTPRequest).