Use csrf tokens and validation with login and register forms

controllers/getController.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"GoWeb/app"
 	"GoWeb/database/models"
+	"GoWeb/security"
 	"GoWeb/templating"
 	"net/http"
 )
@@ -25,11 +26,39 @@ func (getController *GetController) ShowHome(w http.ResponseWriter, r *http.Requ
 }
 
 func (getController *GetController) ShowRegister(w http.ResponseWriter, r *http.Request) {
-	templating.RenderTemplate(getController.App, w, "templates/pages/register.html", nil)
+	type dataStruct struct {
+		csrf_token string
+	}
+
+	// Create csrf token
+	csrf_token, err := security.GenerateCsrfToken(w, r)
+	if err != nil {
+		return
+	}
+
+	data := dataStruct{
+		csrf_token: csrf_token,
+	}
+
+	templating.RenderTemplate(getController.App, w, "templates/pages/register.html", data)
 }
 
 func (getController *GetController) ShowLogin(w http.ResponseWriter, r *http.Request) {
-	templating.RenderTemplate(getController.App, w, "templates/pages/login.html", nil)
+	type dataStruct struct {
+		csrf_token string
+	}
+
+	// Create csrf token
+	csrf_token, err := security.GenerateCsrfToken(w, r)
+	if err != nil {
+		return
+	}
+
+	data := dataStruct{
+		csrf_token: csrf_token,
+	}
+
+	templating.RenderTemplate(getController.App, w, "templates/pages/login.html", data)
 }
 
 func (getController *GetController) Logout(w http.ResponseWriter, r *http.Request) {

controllers/postController.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"GoWeb/app"
 	"GoWeb/database/models"
+	"GoWeb/security"
 	"log"
 	"net/http"
 	"time"
@@ -14,6 +15,13 @@ type PostController struct {
 }
 
 func (postController *PostController) Login(w http.ResponseWriter, r *http.Request) {
+	// Validate csrf token
+	_, err := security.VerifyCsrfToken(r)
+	if err != nil {
+		log.Println("Error verifying csrf token")
+		return
+	}
+
 	username := r.FormValue("username")
 	password := r.FormValue("password")
 
@@ -22,7 +30,7 @@ func (postController *PostController) Login(w http.ResponseWriter, r *http.Reque
 		http.Redirect(w, r, "/login", http.StatusFound)
 	}
 
-	_, err := models.AuthenticateUser(postController.App, w, username, password)
+	_, err = models.AuthenticateUser(postController.App, w, username, password)
 	if err != nil {
 		log.Println("Error authenticating user")
 		log.Println(err)
@@ -34,6 +42,13 @@ func (postController *PostController) Login(w http.ResponseWriter, r *http.Reque
 }
 
 func (postController *PostController) Register(w http.ResponseWriter, r *http.Request) {
+	// Validate csrf token
+	_, err := security.VerifyCsrfToken(r)
+	if err != nil {
+		log.Println("Error verifying csrf token")
+		return
+	}
+
 	username := r.FormValue("username")
 	password := r.FormValue("password")
 	createdAt := time.Now()
@@ -44,7 +59,7 @@ func (postController *PostController) Register(w http.ResponseWriter, r *http.Re
 		http.Redirect(w, r, "/register", http.StatusFound)
 	}
 
-	_, err := models.CreateUser(postController.App, username, password, createdAt, updatedAt)
+	_, err = models.CreateUser(postController.App, username, password, createdAt, updatedAt)
 	if err != nil {
 		log.Println("Error creating user")
 		log.Println(err)

templates/pages/login.html

@@ -2,6 +2,8 @@
 
 {{ define "content" }}
 <form action="/login-handle" method="post">
+    <input type="hidden" name="csrf_token" value="{{ .csrfToken }}">
+
     <label for="username">Username:</label><br>
     <input id="username" name="username" type="text" value="John"><br><br>
     <label for="password">Password:</label><br>

templates/pages/register.html

@@ -2,6 +2,8 @@
 
 {{ define "content" }}
 <form action="/register-handle" method="post">
+    <input type="hidden" name="csrf_token" value="{{ .csrfToken }}">
+    
     <label for="username">Username:</label><br>
     <input id="username" name="username" type="text" value="John"><br><br>
     <label for="password">Password:</label><br>