CSRF, Initial Setup and Admin User Creation

2019-11-14 20:58:55 -08:00 · 2019-11-14 20:58:55 -08:00 · 9348050b4c
--- a/go.mod
+++ b/go.mod
@ -6,5 +6,7 @@ require (
 	github.com/gorilla/mux v1.7.3
 	github.com/jinzhu/gorm v1.9.11
 	github.com/kirsle/blog v0.0.0-20191022175051-d78814b9c99b
+	github.com/satori/go.uuid v1.2.0
 	github.com/urfave/negroni v1.0.0
+	golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443
 )
--- a/go.sum
+++ b/go.sum
@ -35,15 +35,19 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/feeds v1.1.1/go.mod h1:Nk0jZrvPFZX1OBe5NPiddPw7CfwF6Q9eqzaBbaightA=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.1.3 h1:uXoZdcdA5XdXF3QzuSlheVRUvjl+1rKY7zBXL68L9RU=
 github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@ -88,6 +92,8 @@ github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
+github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
+github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shurcooL/github_flavored_markdown v0.0.0-20181002035957-2122de532470/go.mod h1:2dOwnU2uBioM+SGy2aZoq1f/Sd1l9OkAeAUvjSyvgU0=
 github.com/shurcooL/highlight_diff v0.0.0-20181222201841-111da2e7d480/go.mod h1:ZpfEhSmds4ytuByIcDnOLkTHGUI6KNqRNPDLHDk+mUU=
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@ -0,0 +1,8 @@
+package constants
+
+// Misc constants.
+const (
+	// Password values
+	PasswordMinLength = 8
+	BcryptCost        = 14
+)
--- a/pkg/constants/csrf.go
+++ b/pkg/constants/csrf.go
@ -0,0 +1,7 @@
+package constants
+
+// CSRF protection constants.
+const (
+	CSRFCookieName = "csrf_token"
+	CSRFFormName   = "_csrf"
+)
--- a/pkg/controllers/index.go
+++ b/pkg/controllers/index.go
@ -9,16 +9,6 @@ import (
 )

 func init() {
-	glue.Register(glue.Endpoint{
-		Path: "/about",
-		Middleware: []mux.MiddlewareFunc{
-			middleware.ExampleMiddleware,
-		},
-		Handler: func(w http.ResponseWriter, r *http.Request) {
-			w.Write([]byte("About Site"))
-		},
-	})
-
 	glue.Register(glue.Endpoint{
 		Path: "/admin",
 		Middleware: []mux.MiddlewareFunc{
--- a/pkg/controllers/initial_setup.go
+++ b/pkg/controllers/initial_setup.go
@ -1,22 +1,73 @@
 package controllers

 import (
+	"errors"
+	"fmt"
 	"net/http"

+	"git.kirsle.net/apps/gophertype/pkg/constants"
 	"git.kirsle.net/apps/gophertype/pkg/glue"
 	"git.kirsle.net/apps/gophertype/pkg/middleware"
+	"git.kirsle.net/apps/gophertype/pkg/models"
 	"git.kirsle.net/apps/gophertype/pkg/responses"
 	"github.com/gorilla/mux"
 )

 func init() {
 	glue.Register(glue.Endpoint{
-		Path: "/admin/setup",
+		Path:    "/admin/setup",
+		Methods: []string{"GET", "POST"},
 		Middleware: []mux.MiddlewareFunc{
 			middleware.ExampleMiddleware,
 		},
 		Handler: func(w http.ResponseWriter, r *http.Request) {
-			responses.RenderTemplate(w, "_builtin/initial_setup.gohtml", nil)
+			// See if we already have an admin account.
+			if _, err := models.FirstAdmin(); err == nil {
+				responses.Panic(w, http.StatusForbidden, "This site is already initialized.")
+				return
+			}
+
+			// Template variables.
+			v := map[string]interface{}{}
+
+			// POST handler: create the admin account.
+			if r.Method == http.MethodPost {
+				var (
+					username    = r.FormValue("username")
+					displayName = r.FormValue("name")
+					password    = r.FormValue("password")
+					password2   = r.FormValue("password2")
+				)
+
+				// Username and display name validation happens in CreateUser.
+				// Validate the passwords match here.
+				if len(password) < constants.PasswordMinLength {
+					v["Error"] = fmt.Errorf("your password is too short (must be %d+ characters)", constants.PasswordMinLength)
+				}
+				if password != password2 {
+					v["Error"] = errors.New("your passwords don't match")
+				} else {
+					admin := models.User{
+						Username: username,
+						Name:     displayName,
+						IsAdmin:  true,
+					}
+					admin.SetPassword(password)
+
+					if err := models.CreateUser(admin); err != nil {
+						v["Error"] = err
+					} else {
+						// Admin created! Make the default config.
+						cfg := models.GetSettings()
+						cfg.Save()
+
+						w.Write([]byte("Success"))
+						return
+					}
+				}
+			}
+
+			responses.RenderTemplate(w, r, "_builtin/initial_setup.gohtml", v)
 		},
 	})

--- a/pkg/controllers/static_files.go
+++ b/pkg/controllers/static_files.go
@ -18,7 +18,7 @@ func CatchAllHandler(w http.ResponseWriter, r *http.Request) {
 	// Resolve the target path.
 	filepath, err := responses.ResolveFile(path)
 	if err != nil {
-		responses.Panic(w, http.StatusNotFound, "ResolveFile: "+err.Error())
+		responses.NotFound(w, r)
 		return
 	}

@ -31,7 +31,7 @@ func CatchAllHandler(w http.ResponseWriter, r *http.Request) {
 	// Is it a Go template?
 	if strings.HasSuffix(filepath, ".gohtml") {
 		log.Printf("Resolved to Go Template path %s", filepath)
-		responses.RenderTemplate(w, filepath, nil)
+		responses.RenderTemplate(w, r, filepath, nil)
 		return
 	}

--- a/pkg/middleware/csrf.go
+++ b/pkg/middleware/csrf.go
@ -0,0 +1,48 @@
+package middleware
+
+import (
+	"net/http"
+	"time"
+
+	"git.kirsle.net/apps/gophertype/pkg/constants"
+	"git.kirsle.net/apps/gophertype/pkg/responses"
+	uuid "github.com/satori/go.uuid"
+)
+
+// CSRF prevents Cross-Site Request Forgery.
+// All "POST" requests are required to have an "_csrf" variable passed in which
+// matches the "csrf_token" HTTP cookie with their request.
+func CSRF(next http.Handler) http.Handler {
+	middleware := func(w http.ResponseWriter, r *http.Request) {
+		// All requests: verify they have a CSRF cookie, create one if not.
+		var token string
+		cookie, err := r.Cookie(constants.CSRFCookieName)
+		if err == nil {
+			token = cookie.Value
+		}
+
+		// Generate a token cookie if not found.
+		if len(token) < 8 || err != nil {
+			token = uuid.NewV4().String()
+			cookie = &http.Cookie{
+				Name:    constants.CSRFCookieName,
+				Value:   token,
+				Expires: time.Now().Add(24 * time.Hour),
+			}
+			http.SetCookie(w, cookie)
+		}
+
+		// POST requests: verify token from form parameter.
+		if r.Method == http.MethodPost {
+			compare := r.FormValue(constants.CSRFFormName)
+			if compare != token {
+				responses.Panic(w, http.StatusForbidden, "CSRF token failure.")
+				return
+			}
+		}
+
+		next.ServeHTTP(w, r)
+	}
+
+	return http.HandlerFunc(middleware)
+}
--- a/pkg/models/app_settings.go
+++ b/pkg/models/app_settings.go
@ -0,0 +1,72 @@
+package models
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+
+	"github.com/jinzhu/gorm"
+)
+
+// AppSetting singleton holds the app configuration.
+type AppSetting struct {
+	gorm.Model
+
+	// Site information
+	Title       string
+	Description string
+	Email       string // primary email for notifications
+	NSFW        bool
+	BaseURL     string
+
+	// Blog settings
+	PostsPerPage int
+
+	// Mail settings
+	MailEnabled  bool
+	MailSender   string
+	MailHost     string
+	MailPort     int
+	MailUsername string
+	MailPassword string
+
+	// Security
+	SecretKey string `json:"-"`
+}
+
+// GetSettings gets or creates the App Settings.
+func GetSettings() AppSetting {
+	var s AppSetting
+	r := DB.First(&s)
+	if r.Error != nil {
+		s = AppSetting{
+			Title:       "Untitled Site",
+			Description: "Just another web blog.",
+			SecretKey:   MakeSecretKey(),
+		}
+	}
+
+	if s.SecretKey == "" {
+		s.SecretKey = MakeSecretKey()
+	}
+
+	return s
+}
+
+// Save the settings to DB.
+func (s AppSetting) Save() error {
+	if DB.NewRecord(s) {
+		r := DB.Create(&s)
+		return r.Error
+	}
+	r := DB.Save(&s)
+	return r.Error
+}
+
+// MakeSecretKey generates a secret key for signing HTTP cookies.
+func MakeSecretKey() string {
+	keyLength := 32
+
+	b := make([]byte, keyLength)
+	rand.Read(b)
+	return base64.URLEncoding.EncodeToString(b)
+}
--- a/pkg/models/models.go
+++ b/pkg/models/models.go
@ -8,5 +8,6 @@ var DB *gorm.DB
 // UseDB registers a database driver.
 func UseDB(db *gorm.DB) {
 	DB = db
+	DB.AutoMigrate(&AppSetting{})
 	DB.AutoMigrate(&User{})
 }
--- a/pkg/models/users.go
+++ b/pkg/models/users.go
@ -1,11 +1,67 @@
 package models

+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"git.kirsle.net/apps/gophertype/pkg/constants"
+	"github.com/jinzhu/gorm"
+	"golang.org/x/crypto/bcrypt"
+)
+
 // User account for the site.
 type User struct {
-	ID       int    `json:"id"`
-	Username string `json:"username" gorm:"unique"`
-	Password string `json:"-"`
-	IsAdmin  bool   `json:"isAdmin"`
-	Name     string `json:"name"`
-	Email    string `json:"email"`
+	gorm.Model
+	Username       string `json:"username" gorm:"unique_index"`
+	HashedPassword string `json:"-"`
+	IsAdmin        bool   `json:"isAdmin" gorm:"index"`
+	Name           string `json:"name"`
+	Email          string `json:"email" gorm:"index"`
+}
+
+// Validate the User object has everything filled in. Fixes what it can,
+// returns an error if something is wrong. Ensures the HashedPassword is hashed.
+func (u *User) Validate() error {
+	u.Username = strings.TrimSpace(strings.ToLower(u.Username))
+	u.Name = strings.TrimSpace(strings.ToLower(u.Name))
+
+	// Defaults
+	if len(u.Name) == 0 {
+		u.Name = u.Username
+	}
+
+	if len(u.Username) == 0 {
+		return errors.New("username is required")
+	}
+	return nil
+}
+
+// SetPassword stores the hashed password for a user.
+func (u *User) SetPassword(password string) error {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), constants.BcryptCost)
+	if err != nil {
+		return fmt.Errorf("SetPassword: %s", err)
+	}
+
+	u.HashedPassword = string(hash)
+	fmt.Printf("Set hashed password: %s", u.HashedPassword)
+	return nil
+}
+
+// FirstAdmin returns the admin user with the lowest ID number.
+func FirstAdmin() (User, error) {
+	var user User
+	r := DB.First(&user, "is_admin", true)
+	return user, r.Error
+}
+
+// CreateUser adds a new user to the database.
+func CreateUser(u User) error {
+	if err := u.Validate(); err != nil {
+		return err
+	}
+
+	r := DB.Create(&u)
+	return r.Error
 }
--- a/pkg/responses/errors.go
+++ b/pkg/responses/errors.go
@ -1,9 +1,33 @@
 package responses

-import "net/http"
+import (
+	"log"
+	"net/http"
+)

 // Panic gives a simple error with no template or anything fancy.
 func Panic(w http.ResponseWriter, code int, message string) {
 	w.WriteHeader(code)
 	w.Write([]byte(message))
 }
+
+// Error returns an error page.
+func Error(w http.ResponseWriter, r *http.Request, code int, message string) {
+	v := map[string]interface{}{
+		"Message": message,
+	}
+	w.WriteHeader(code)
+
+	if err := RenderTemplate(w, r, "_builtin/errors/generic.gohtml", v); err != nil {
+		log.Printf("responses.Error: failed to render a pretty error template: %s", err)
+		w.Write([]byte(message))
+	}
+}
+
+// NotFound returns an HTML 404 page.
+func NotFound(w http.ResponseWriter, r *http.Request) {
+	if err := RenderTemplate(w, r, "_builtin/errors/404.gohtml", nil); err != nil {
+		log.Printf("responses.NotFound: failed to render a pretty error template: %s", err)
+		w.Write([]byte("Not Found"))
+	}
+}
--- a/pkg/responses/template_functions.go
+++ b/pkg/responses/template_functions.go
@ -0,0 +1,27 @@
+package responses
+
+import (
+	"fmt"
+	"html/template"
+	"net/http"
+
+	"git.kirsle.net/apps/gophertype/pkg/constants"
+)
+
+// TemplateFuncs available to all templates.
+func TemplateFuncs(r *http.Request) template.FuncMap {
+	return template.FuncMap{
+		"CSRF": func() template.HTML {
+			fmt.Println("CSRF() func called")
+			token, _ := r.Cookie(constants.CSRFCookieName)
+			return template.HTML(fmt.Sprintf(
+				`<input type="hidden" name="%s" value="%s">`,
+				constants.CSRFFormName,
+				token.Value,
+			))
+		},
+		"TestFunction": func() template.HTML {
+			return template.HTML("Testing")
+		},
+	}
+}
--- a/pkg/responses/templates.go
+++ b/pkg/responses/templates.go
@ -87,21 +87,22 @@ func ResolveFile(path string) (string, error) {

 // RenderTemplate renders a Go HTML template.
 // The io.Writer can be an http.ResponseWriter.
-func RenderTemplate(w http.ResponseWriter, tmpl string, vars interface{}) error {
+func RenderTemplate(w http.ResponseWriter, r *http.Request, tmpl string, vars interface{}) error {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")

 	// Look for the built-in template.
 	if b, err := GetFile(tmpl); err == nil {
-		t, err := template.New(tmpl).Parse(string(b))
+		t, err := template.New(tmpl).Funcs(TemplateFuncs(r)).Parse(string(b))
 		if err != nil {
-			return fmt.Errorf("bundled template '%s': %s", tmpl, err)
+			log.Printf("bundled template '%s': %s", tmpl, err)
+			return err
 		}

 		// We found the template. Can we find the layout html?
 		if layout, err := GetFile(".layout.gohtml"); err == nil {
 			_, err := t.New("layout").Parse(string(layout))
 			if err != nil {
-				fmt.Errorf("RenderTemplate(.layout.gohtml): %s", err)
+				log.Printf("RenderTemplate(.layout.gohtml): %s", err)
 			}
 		} else {
 			log.Printf("RenderTemplate: .layout.gohtml not found to wrap %s", tmpl)
--- a/pkg/routes.go
+++ b/pkg/routes.go
@ -7,6 +7,7 @@ import (

 	"git.kirsle.net/apps/gophertype/pkg/controllers"
 	"git.kirsle.net/apps/gophertype/pkg/glue"
+	"git.kirsle.net/apps/gophertype/pkg/middleware"
 	"github.com/gorilla/mux"
 )

@ -14,6 +15,8 @@ import (
 func (s *Site) SetupRouter() error {
 	router := mux.NewRouter()

+	router.Use(middleware.CSRF)
+
 	for _, route := range glue.GetControllers() {
 		log.Printf("Register: %+v", route)
 		if len(route.Methods) == 0 {
--- a/pvt-www/_builtin/error.gohtml
+++ b/pvt-www/_builtin/error.gohtml
@ -0,0 +1,11 @@
+{{ define "title" }}An error has occurred{{ end }}
+{{ define "content" }}
+<h1>An error has occurred</h1>
+
+{{ if .Message }}
+<div class="banner banner-danger">
+	{{ .Message }}
+</div>
+{{ end }}
+
+{{ end }}
--- a/pvt-www/_builtin/errors/404.gohtml
+++ b/pvt-www/_builtin/errors/404.gohtml
@ -0,0 +1,6 @@
+{{ define "title" }}Not Found{{ end }}
+{{ define "content" }}
+<h1>Not Found</h1>
+
+The page you were looking for was not found.
+{{ end }}
--- a/pvt-www/_builtin/initial_setup.gohtml
+++ b/pvt-www/_builtin/initial_setup.gohtml
@ -1,5 +1,66 @@
 {{ define "title" }}Initial Setup{{ end }}
-
 {{ define "content" }}
 <h1>Initial Setup</h1>
+
+{{ if .Error }}
+<div class="banner banner-danger mb-4">
+	<strong>Error:</strong> {{ .Error }}
+</div>
+{{ end }}
+
+<p>
+	Welcome to Gophertype! Fill out the basic configuration below to set up the app.
+</p>
+
+<form method="POST" action="/admin/setup">
+	{{ CSRF }}
+	<div class="card mb-4">
+		<div class="card-header">
+			Create Administrator Login
+		</div>
+		<div class="card-body">
+			<div class="form-row">
+				<div class="form-group col-md-6">
+					<label for="username">Username<span class="text-danger">*</span>:</label>
+					<input type="text" class="form-control"
+						name="username"
+						id="username"
+						placeholder="Admin"
+						required>
+				</div>
+				<div class="form-group col-md-6">
+					<label for="username">Display Name:</label>
+					<input type="text" class="form-control"
+						name="name"
+						id="name"
+						placeholder="Soandso">
+				</div>
+			</div>
+
+			<div class="form-row">
+				<div class="form-group col-md-6">
+					<label for="password">Password<span class="text-danger">*</span>:</label>
+					<input type="password" class="form-control"
+						name="password"
+						id="password"
+						required>
+				</div>
+				<div class="form-group col-md-6">
+					<label for="confirm">Confirm<span class="text-danger">*</span>:</label>
+					<input type="password" class="form-control"
+						name="password2"
+						id="confirm"
+						required>
+				</div>
+			</div>
+
+			<div class="form-row">
+				<div class="col">
+					<button type="submit"
+						class="btn btn-primary">Continue</button>
+				</div>
+			</div>
+		</div>
+	</div>
+</form>
 {{ end }}
--- a/pvt-www/about.md
+++ b/pvt-www/about.md
@ -0,0 +1,10 @@
+# About Blog
+
+This is a simple web blog and content management system written in Go.
+
+## Features
+
+* Web blog
+  * Draft, Private Posts
+* Page editor
+  * You can edit any page from the front-end.