chldapasswd/csrf.go

package main

import (
	"crypto/rand"
	"encoding/base64"
	"net/http"
)

func generateCSRFToken() (string, error) {
	b := make([]byte, 32)
	if _, err := rand.Read(b); err != nil {
		return "", err
	}
	return base64.URLEncoding.EncodeToString(b), nil
}

func setCSRFToken(w http.ResponseWriter) (string, error) {
	token, err := generateCSRFToken()
	if err != nil {
		return "", err
	}
	http.SetCookie(w, &http.Cookie{
		Name:     "csrf_token",
		Value:    token,
		Path:     "/",
		HttpOnly: false, // must be readable via form hidden field comparison
		SameSite: http.SameSiteStrictMode,
	})
	return token, nil
}

func validateCSRF(r *http.Request) bool {
	cookie, err := r.Cookie("csrf_token")
	if err != nil || cookie.Value == "" {
		return false
	}
	formToken := r.PostFormValue("csrf_token")
	return formToken != "" && cookie.Value == formToken
}