thomiceli · thomiceli · Nov 2, 2024 · Nov 1, 2024 · Nov 1, 2024
diff --git a/internal/cli/main.go b/internal/cli/main.go
@@ -37,7 +37,7 @@ var CmdStart = cli.Command{
 
 		Initialize(ctx)
 
-		go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions")).Start()
+		go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions"), false).Start()
 		go ssh.Start()
 
 		<-stopCtx.Done()

diff --git a/internal/web/server.go b/internal/web/server.go
@@ -164,7 +164,7 @@ type Server struct {
 	dev  bool
 }
 
-func NewServer(isDev bool, sessionsPath string) *Server {
+func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
 	dev = isDev
 	flashStore = sessions.NewCookieStore([]byte("opengist"))
 	encryptKey, _ := utils.GenerateSecretKey(filepath.Join(sessionsPath, "session-encrypt.key"))
@@ -245,15 +245,16 @@ func NewServer(isDev bool, sessionsPath string) *Server {
 	// Web based routes
 	g1 := e.Group("")
 	{
-		if !dev {
+		if !ignoreCsrf {
 			g1.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
 				TokenLookup:    "form:_csrf,header:X-CSRF-Token",
 				CookiePath:     "/",
 				CookieHTTPOnly: true,
 				CookieSameSite: http.SameSiteStrictMode,
 			}))
+			g1.Use(csrfInit)
 		}
-		g1.Use(csrfInit)
+
 		g1.GET("/", create, logged)
 		g1.POST("/", processCreate, logged)
 		g1.POST("/preview", preview, logged)

diff --git a/internal/web/test/server.go b/internal/web/test/server.go
@@ -33,7 +33,7 @@ type testServer struct {
 
 func newTestServer() (*testServer, error) {
 	s := &testServer{
-		server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions")),
+		server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions"), true),
 	}
 
 	go s.start()

diff --git a/public/editor.ts b/public/editor.ts
@@ -73,10 +73,14 @@ document.addEventListener("DOMContentLoaded", () => {
             } else {
                 const formData = new FormData();
                 formData.append('content', editor.state.doc.toString());
+                let csrf = document.querySelector<HTMLInputElement>('form#create input[name="_csrf"]').value
                 fetch(`${baseUrl}/preview`, {
                     method: 'POST',
                     credentials: 'same-origin',
-                    body: formData
+                    body: formData,
+                    headers: {
+                        'X-CSRF-Token': csrf
+                    }
                 }).then(r => r.text()).then(r => {
                     let divpreview = dom.querySelector("div.preview") as HTMLElement;
                     divpreview!.innerHTML = r;