avoidik
diff --git a/‎cmd/web/handlers.go
Lines changed: 0 additions & 11 deletions b/‎cmd/web/handlers.go
Lines changed: 0 additions & 11 deletions
diff --git a/‎cmd/web/middleware.go
Lines changed: 27 additions & 0 deletions b/‎cmd/web/middleware.go
Lines changed: 27 additions & 0 deletions
diff --git a/‎cmd/web/routes.go
Lines changed: 10 additions & 10 deletions b/‎cmd/web/routes.go
Lines changed: 10 additions & 10 deletions
diff --git a/‎cmd/web/views.go
Lines changed: 10 additions & 6 deletions b/‎cmd/web/views.go
Lines changed: 10 additions & 6 deletions
diff --git a/‎glide.lock
Lines changed: 5 additions & 2 deletions b/‎glide.lock
Lines changed: 5 additions & 2 deletions
diff --git a/‎glide.yaml
Lines changed: 1 addition & 0 deletions b/‎glide.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎ui/html/base.html
Lines changed: 1 addition & 0 deletions b/‎ui/html/base.html
Lines changed: 1 addition & 0 deletions
diff --git a/‎ui/html/login.page.html
Lines changed: 2 additions & 1 deletion b/‎ui/html/login.page.html
Lines changed: 2 additions & 1 deletion
diff --git a/‎ui/html/new.page.html
Lines changed: 1 addition & 0 deletions b/‎ui/html/new.page.html
Lines changed: 1 addition & 0 deletions
diff --git a/‎ui/html/signup.page.html
Lines changed: 1 addition & 0 deletions b/‎ui/html/signup.page.html
Lines changed: 1 addition & 0 deletions
diff --git a/‎vendor/github.com/justinas/nosurf/.gitignore
Lines changed: 29 additions & 0 deletions b/‎vendor/github.com/justinas/nosurf/.gitignore
Lines changed: 29 additions & 0 deletions
diff --git a/‎vendor/github.com/justinas/nosurf/.travis.yml
Lines changed: 23 additions & 0 deletions b/‎vendor/github.com/justinas/nosurf/.travis.yml
Lines changed: 23 additions & 0 deletions
diff --git a/‎vendor/github.com/justinas/nosurf/LICENSE
Lines changed: 20 additions & 0 deletions b/‎vendor/github.com/justinas/nosurf/LICENSE
Lines changed: 20 additions & 0 deletions
diff --git a/‎vendor/github.com/justinas/nosurf/README.md
Lines changed: 125 additions & 0 deletions b/‎vendor/github.com/justinas/nosurf/README.md
Lines changed: 125 additions & 0 deletions
@@ -6,7 +6,6 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
-	"strings"
 
 	"snippetbox.org/pkg/forms"
 	"snippetbox.org/pkg/models"
@@ -105,16 +104,6 @@ func (app *App) VersionInfo(w http.ResponseWriter, r *http.Request) {
 	http.ServeFile(w, r, verFile)
 }
 
-func DisableIndex(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if strings.HasSuffix(r.URL.Path, "/") {
-			http.Error(w, "Nothing to see here", http.StatusNotFound)
-			return
-		}
-		next.ServeHTTP(w, r)
-	})
-}
-
 func (app *App) SignupUser(w http.ResponseWriter, r *http.Request) {
 	app.RenderHtml(w, r, "signup.page.html", &HtmlData{
 		Form: &forms.SignupUser{},
 
@@ -3,6 +3,9 @@ package main
 import (
 	"log"
 	"net/http"
+	"strings"
+
+	"github.com/justinas/nosurf"
 )
 
 func LogRequest(next http.Handler) http.Handler {
@@ -37,3 +40,27 @@ func (app *App) RequireLogin(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func NoSurf(next http.Handler) http.Handler {
+	csrfHandler := nosurf.New(next)
+	csrfHandler.SetBaseCookie(http.Cookie{
+		HttpOnly: true,
+		Path:     "/",
+		Secure:   true,
+	})
+	return csrfHandler
+}
+
+func DisableIndex(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasSuffix(r.URL.Path, "/") {
+			http.Error(w, "Nothing to see here", http.StatusNotFound)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func StripStatic(next http.Handler) http.Handler {
+	return http.StripPrefix("/static", next)
+}
@@ -10,20 +10,20 @@ import (
 func (app *App) Routes() http.Handler {
 	mux := pat.New()
 
-	mux.Get("/", http.HandlerFunc(app.Home))
+	mux.Get("/", alice.New(NoSurf).Then(http.HandlerFunc(app.Home)))
 
-	mux.Get("/snippet/new", alice.New(app.RequireLogin).Then(http.HandlerFunc(app.NewSnippet)))
-	mux.Post("/snippet/new", alice.New(app.RequireLogin).Then(http.HandlerFunc(app.CreateSnippet)))
-	mux.Get("/snippet/:id", http.HandlerFunc(app.ShowSnippet))
+	mux.Get("/snippet/new", alice.New(app.RequireLogin, NoSurf).Then(http.HandlerFunc(app.NewSnippet)))
+	mux.Post("/snippet/new", alice.New(app.RequireLogin, NoSurf).Then(http.HandlerFunc(app.CreateSnippet)))
+	mux.Get("/snippet/:id", alice.New(NoSurf).Then(http.HandlerFunc(app.ShowSnippet)))
 
-	mux.Get("/user/signup", http.HandlerFunc(app.SignupUser))
-	mux.Post("/user/signup", http.HandlerFunc(app.CreateUser))
-	mux.Get("/user/login", http.HandlerFunc(app.LoginUser))
-	mux.Post("/user/login", http.HandlerFunc(app.VerifyUser))
-	mux.Post("/user/logout", alice.New(app.RequireLogin).Then(http.HandlerFunc(app.LogoutUser)))
+	mux.Get("/user/signup", alice.New(NoSurf).Then(http.HandlerFunc(app.SignupUser)))
+	mux.Post("/user/signup", alice.New(NoSurf).Then(http.HandlerFunc(app.CreateUser)))
+	mux.Get("/user/login", alice.New(NoSurf).Then(http.HandlerFunc(app.LoginUser)))
+	mux.Post("/user/login", alice.New(NoSurf).Then(http.HandlerFunc(app.VerifyUser)))
+	mux.Post("/user/logout", alice.New(app.RequireLogin, NoSurf).Then(http.HandlerFunc(app.LogoutUser)))
 
 	fileServer := http.FileServer(http.Dir(app.staticDir))
-	mux.Get("/static/", http.StripPrefix("/static", DisableIndex(fileServer)))
+	mux.Get("/static/", alice.New(StripStatic, DisableIndex).Then(fileServer))
 
 	mux.Get("/version", http.HandlerFunc(app.VersionInfo))
 
 
@@ -7,16 +7,18 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/justinas/nosurf"
 	"snippetbox.org/pkg/models"
 )
 
 type HtmlData struct {
-	Form     interface{}
-	Path     string
-	Flash    string
-	LoggedIn bool
-	Snippet  *models.Snippet
-	Snippets []*models.Snippet
+	CSRFtoken string
+	Form      interface{}
+	Path      string
+	Flash     string
+	LoggedIn  bool
+	Snippet   *models.Snippet
+	Snippets  []*models.Snippet
 }
 
 func humanDate(t time.Time) string {
@@ -30,6 +32,8 @@ func (app *App) RenderHtml(w http.ResponseWriter, r *http.Request, page string,
 
 	data.Path = r.URL.Path
 
+	data.CSRFtoken = nosurf.Token(r)
+
 	var err error
 	data.LoggedIn, err = app.LoggedIn(r)
 	if err != nil {
 
@@ -9,3 +9,4 @@ import:
 - package: golang.org/x/crypto
   subpackages:
   - bcrypt
+- package: github.com/justinas/nosurf
@@ -20,6 +20,7 @@ <h1><a href="/">Snippetbox</a></h1>
                 New Snippet
             </a>
             <form action="/user/logout" method="POST">
+                <input type="hidden" name="csrf_token" value="{{.CSRFtoken}}">
                 <button>Logout</button>
             </form>
             {{else}}
 
@@ -5,6 +5,7 @@
     <div class="flash">{{.}}</div>
     {{end}}
     <form action="/user/login" method="POST" novalidate>
+        <input type="hidden" name="csrf_token" value="{{.CSRFtoken}}">
         {{with .Form}}
             {{with .Failures.Generic}}
             <div class="error">{{.}}</div>
@@ -23,7 +24,7 @@
                 {{end}}
                 <input type="password" name="password">
             </div>
-            <div>
+            <div>                
                 <input type="submit" value="Submit">
             </div>
         {{end}}
 
@@ -2,6 +2,7 @@
 
 {{define "page-body"}}
 <form action="/snippet/new" method="POST">
+    <input type="hidden" name="csrf_token" value="{{.CSRFtoken}}">
     {{with .Form}}
     <div>
         <label>Title:</label>
 
@@ -2,6 +2,7 @@
 
 {{define "page-body"}}
 <form action="/user/signup" method="POST" novalidate>
+    <input type="hidden" name="csrf_token" value="{{.CSRFtoken}}">
     {{with .Form}}
         <div>
             <label>Name:</label>