github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

refactor(global): remove useless code related to CSRF (#387)

pull/382/head
Anthony Lapenna 2016-12-16 14:00:57 +13:00 committed by GitHub
parent 5b16deb73e
commit d9f6124609
3 changed files with 1 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
api/csrf.go
View File

@ -1,48 +0,0 @@
package main
import (
"github.com/gorilla/csrf"
"github.com/gorilla/securecookie"
"io/ioutil"
"log"
"net/http"
)
const keyFile = "authKey.dat"
// newAuthKey reuses an existing CSRF authkey if present or generates a new one
func newAuthKey(path string) []byte {
var authKey []byte
authKeyPath := path + "/" + keyFile
data, err := ioutil.ReadFile(authKeyPath)
if err != nil {
log.Print("Unable to find an existing CSRF auth key. Generating a new key.")
authKey = securecookie.GenerateRandomKey(32)
err := ioutil.WriteFile(authKeyPath, authKey, 0644)
if err != nil {
log.Fatal("Unable to persist CSRF auth key.")
log.Fatal(err)
}
} else {
authKey = data
}
return authKey
}
// newCSRF initializes a new CSRF handler
func newCSRFHandler(keyPath string) func(h http.Handler) http.Handler {
authKey := newAuthKey(keyPath)
return csrf.Protect(
authKey,
csrf.HttpOnly(false),
csrf.Secure(false),
)
}
// newCSRFWrapper wraps a http.Handler to add the CSRF token
func newCSRFWrapper(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-CSRF-Token", csrf.Token(r))
h.ServeHTTP(w, r)
})
}

7
api/handler.go
View File

@ -10,7 +10,7 @@ import (
"os" "os"
) )
// newHandler creates a new http.Handler with CSRF protection // newHandler creates a new http.Handler
func (a *api) newHandler(settings *Settings) http.Handler { func (a *api) newHandler(settings *Settings) http.Handler {
var ( var (
mux = mux.NewRouter() mux = mux.NewRouter()
@ -37,14 +37,9 @@ func (a *api) newHandler(settings *Settings) http.Handler {
mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) { mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) {
templatesHandler(w, r, a.templatesURL) templatesHandler(w, r, a.templatesURL)
}) })
// mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", handler))
mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", addMiddleware(handler, a.authenticate, secureHeaders))) mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", addMiddleware(handler, a.authenticate, secureHeaders)))
mux.PathPrefix("/").Handler(http.StripPrefix("/", fileHandler)) mux.PathPrefix("/").Handler(http.StripPrefix("/", fileHandler))
// CSRF protection is disabled for the moment
// CSRFHandler := newCSRFHandler(a.dataPath)
// return CSRFHandler(newCSRFWrapper(mux))
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
mux.ServeHTTP(w, r) mux.ServeHTTP(w, r)
}) })

7
app/app.js
View File

@ -464,8 +464,6 @@ angular.module('portainer', [
}); });
// The Docker API likes to return plaintext errors, this catches them and disp // The Docker API likes to return plaintext errors, this catches them and disp
// $httpProvider.defaults.xsrfCookieName = 'csrfToken';
// $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
$httpProvider.interceptors.push(function() { $httpProvider.interceptors.push(function() {
return { return {
'response': function(response) { 'response': function(response) {
@ -477,11 +475,6 @@ angular.module('portainer', [
time: 10000 time: 10000
}); });
} }
// CSRF protection is disabled for the moment
// var csrfToken = response.headers('X-Csrf-Token');
// if (csrfToken) {
// document.cookie = 'csrfToken=' + csrfToken;
// }
return response; return response;
} }
}; };