Added CSRF & YouTube and dark mode

2025-01-22 17:39:03 +01:00
parent 48e761667f
commit 5a5846d853
29 changed files with 1186 additions and 280 deletions
--- a/backend/api/contact.go
+++ b/backend/api/contact.go
@@ -0,0 +1,61 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+	"strconv"
+
+	"fr.latosa-escrima/api/core"
+	"gopkg.in/gomail.v2"
+)
+
+type ContactForm struct {
+	Firstname string `json:"firstname"`
+	Lastname  string `json:"lastname"`
+	EMail     string `json:"email"`
+	Subject   string `json:"subject"`
+	Message   string `json:"message"`
+}
+
+func HandleContact(w http.ResponseWriter, r *http.Request) {
+	// TODO: Warning email not being sent ?
+	var form ContactForm
+	err := json.NewDecoder(r.Body).Decode(&form)
+	if err != nil {
+		core.JSONError{
+			Status:  core.Error,
+			Message: err.Error(),
+		}.Respond(w, http.StatusBadRequest)
+		return
+	}
+
+	fmt.Println("Received form", form)
+	fmt.Println("ENV:", os.Environ())
+
+	m := gomail.NewMessage()
+	m.SetHeader("From", os.Getenv("SMTP_EMAIL"))
+	// m.SetHeader("Reply-To", form.EMail)
+	m.SetHeader("To", os.Getenv("SMTP_EMAIL"))
+	m.SetHeader("Subject", form.Subject)
+	m.SetBody("text/plain", fmt.Sprintf("%s %s vous a envoyé un email:\n\n%s", form.Firstname, form.Lastname, form.Message))
+	port, err := strconv.Atoi(os.Getenv("SMTP_PORT"))
+	if err != nil {
+		port = 587
+	}
+	d := gomail.NewDialer(os.Getenv("SMTP_DOMAIN"), port, os.Getenv("SMTP_EMAIL"), os.Getenv("SMTP_APP_PASSWORD"))
+
+	if err = d.DialAndSend(); err != nil {
+		core.JSONError{
+			Status:  core.Error,
+			Message: err.Error(),
+		}.Respond(w, http.StatusInternalServerError)
+		return
+	}
+
+	core.JSONSuccess{
+		Status:  core.Success,
+		Message: "Email sent.",
+	}.Respond(w, http.StatusAccepted)
+}
--- a/backend/api/core/csrf.go
+++ b/backend/api/core/csrf.go
@@ -0,0 +1,3 @@
+package core
+
+var CSRF_KEY = []byte("32-byte-long-auth-key")
--- a/backend/api/get_csrf.go
+++ b/backend/api/get_csrf.go
@@ -0,0 +1,19 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"fr.latosa-escrima/api/core"
+	"github.com/gorilla/csrf"
+)
+
+func HandleCSRF(w http.ResponseWriter, r *http.Request) {
+	token := csrf.Token(r)
+	fmt.Println(token)
+	core.JSONSuccess{
+		Status:  core.Success,
+		Message: "CSRF generated.",
+		Data:    map[string]string{"csrf": token},
+	}.Respond(w, http.StatusOK)
+}
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -12,6 +12,12 @@ require (
 	github.com/uptrace/bun/driver/pgdriver v1.2.8
 )

+require (
+	github.com/gorilla/csrf v1.7.2 // direct
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+)
+
 require (
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
@@ -24,5 +30,6 @@ require (
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
+	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	mellium.im/sasl v0.3.2 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -8,6 +8,10 @@ github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17w
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
+github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
@@ -45,6 +49,10 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
+gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE=
+gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 mellium.im/sasl v0.3.2 h1:PT6Xp7ccn9XaXAnJ03FcEjmAn7kK1x7aoXV6F+Vmrl0=
--- a/backend/main.go
+++ b/backend/main.go
@@ -2,29 +2,34 @@ package main

 import (
 	"fmt"
-	"github.com/joho/godotenv"
-	"github.com/uptrace/bun/extra/bundebug"
 	"log"
 	"net/http"
 	"os"

+	"github.com/joho/godotenv"
+	"github.com/uptrace/bun/extra/bundebug"
+
 	_ "github.com/lib/pq"

-	api "fr.latosa-escrima/api"
+	"fr.latosa-escrima/api"
 	"fr.latosa-escrima/api/core"
+	"github.com/gorilla/csrf"
 )

+var CORS_AllowOrigin string
+
 func handler(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintf(w, "<html><body><h1>Hello, World!</h1></body></html>")
 }
 func Cors(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Allow all origins (can restrict to specific origins)
-		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Origin", CORS_AllowOrigin)
 		// Allow certain HTTP methods (you can customize these as needed)
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, PATCH")
 		// Allow certain headers (you can add more as needed)
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-CSRF-Token")
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
 		// Handle OPTIONS pre-flight request
 		if r.Method == http.MethodOptions {
 			return
@@ -43,6 +48,7 @@ func main() {
 	port := os.Getenv("BACKEND_DOCKER_PORT")
 	hostname := os.Getenv("DATABASE_HOSTNAME")
 	postgres_port := os.Getenv("POSTGRES_DOCKER_PORT")
+	CORS_AllowOrigin = os.Getenv("CORS_AllowOrigin")
 	if environ == "DEV" {
 		port = os.Getenv("BACKEND_PORT")
 		hostname = "localhost"
@@ -66,6 +72,12 @@ func main() {

 	defer core.DB.Close()

+	CSRFMiddleware := csrf.Protect(
+		core.CSRF_KEY,
+		csrf.Secure(environ != "DEV"),
+		csrf.HttpOnly(true),
+	)
+
 	mux := http.NewServeMux()

 	core.HandleRoutes(mux, map[string]core.Handler{
@@ -108,6 +120,14 @@ func main() {
 			Handler:     api.HandleVerifyMedia,
 			Middlewares: []core.Middleware{api.Methods("POST"), api.AuthJWT},
 		},
+		"/contact": {
+			Handler:     api.HandleContact,
+			Middlewares: []core.Middleware{api.Methods("POST"), CSRFMiddleware},
+		},
+		"/csrf-token": {
+			Handler:     api.HandleCSRF,
+			Middlewares: []core.Middleware{api.Methods("GET"), CSRFMiddleware},
+		},
 	})

 	fmt.Printf("Serving on port %s\n", port)