diff --git a/app/middleware/register.middleware.go b/app/middleware/register.middleware.go index d323cec..bf80076 100644 --- a/app/middleware/register.middleware.go +++ b/app/middleware/register.middleware.go @@ -70,59 +70,61 @@ func (m *Middleware) Register(db *database.Database) { // CSRF CONFIG //=============================== - // Custom storage for CSRF - csrfSessionStorage := &PostgresStorage{ - DB: db.DB, - } - - // Store initialization for session - store := session.New(session.Config{ - CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite, - CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure, - CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly, - CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly, - Storage: csrfSessionStorage, - }) - - m.App.Use(func(c *fiber.Ctx) error { - sess, err := store.Get(c) - if err != nil { - return err + // Only setup CSRF middleware if enabled + if m.Cfg.Middleware.Csrf.Enable { + // Custom storage for CSRF + csrfSessionStorage := &PostgresStorage{ + DB: db.DB, } - c.Locals("session", sess) - return c.Next() - }) - // Cleanup the expired token - go func() { - ticker := time.NewTicker(1 * time.Hour) - defer ticker.Stop() + // Store initialization for session + store := session.New(session.Config{ + CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite, + CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure, + CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly, + CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly, + Storage: csrfSessionStorage, + }) - for range ticker.C { - if err := csrfSessionStorage.Reset(); err != nil { - log.Printf("Error cleaning up expired CSRF tokens: %v", err) + m.App.Use(func(c *fiber.Ctx) error { + sess, err := store.Get(c) + if err != nil { + return err } - } - }() + c.Locals("session", sess) + return c.Next() + }) - m.App.Use(csrf.New(csrf.Config{ - Next: utilsSvc.IsEnabled(m.Cfg.Middleware.Csrf.Enable), - KeyLookup: "header:" + csrf.HeaderName, - CookieName: m.Cfg.Middleware.Csrf.CookieName, - CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite, - CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure, - CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly, - CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly, - Expiration: 1 * time.Hour, - KeyGenerator: utils.UUIDv4, - ContextKey: "csrf", - ErrorHandler: func(c *fiber.Ctx, err error) error { - return utilsSvc.CsrfErrorHandler(c, err) - }, - Extractor: csrf.CsrfFromHeader(csrf.HeaderName), - Session: store, - SessionKey: "fiber.csrf.token", - })) + // Cleanup the expired token + go func() { + ticker := time.NewTicker(1 * time.Hour) + defer ticker.Stop() + + for range ticker.C { + if err := csrfSessionStorage.Reset(); err != nil { + log.Printf("Error cleaning up expired CSRF tokens: %v", err) + } + } + }() + + m.App.Use(csrf.New(csrf.Config{ + KeyLookup: "header:" + csrf.HeaderName, + CookieName: m.Cfg.Middleware.Csrf.CookieName, + CookieSameSite: m.Cfg.Middleware.Csrf.CookieSameSite, + CookieSecure: m.Cfg.Middleware.Csrf.CookieSecure, + CookieSessionOnly: m.Cfg.Middleware.Csrf.CookieSessionOnly, + CookieHTTPOnly: m.Cfg.Middleware.Csrf.CookieHttpOnly, + Expiration: 1 * time.Hour, + KeyGenerator: utils.UUIDv4, + ContextKey: "csrf", + ErrorHandler: func(c *fiber.Ctx, err error) error { + return utilsSvc.CsrfErrorHandler(c, err) + }, + Extractor: csrf.CsrfFromHeader(csrf.HeaderName), + Session: store, + SessionKey: "fiber.csrf.token", + })) + } //=============================== m.App.Use(AuditTrailsMiddleware(db.DB)) @@ -141,7 +143,7 @@ func (m *Middleware) Register(db *database.Database) { Next: utilsSvc.IsEnabled(m.Cfg.Middleware.Monitor.Enable), })) - // Route for generate CSRF token + // Route for generate CSRF token (only available if CSRF is enabled) m.App.Get("/csrf-token", func(c *fiber.Ctx) error { // Retrieve CSRF token from Fiber's middleware context token, ok := c.Locals("csrf").(string)