Ilia Denisov
27916bbe61
Tests · Go / test (push) Successful in 2m0s
Add the server-rendered operator console at /_gm, exposed publicly through the gateway behind the existing admin_accounts Basic Auth. Backend: - new internal/adminconsole package (html/template Renderer, stateless HMAC CSRF signer, embedded stylesheet) - /_gm route group reusing basicauth.Middleware(admin.Service) + a CSRF guard (per-operator token + same-origin check); dashboard landing page - BACKEND_ADMIN_CONSOLE_CSRF_KEY config (per-process random fallback) Gateway: - new "admin" public route class (per-IP rate limit, body + GET/HEAD/POST method limits) classifying /_gm traffic - reverse proxy to the backend /_gm surface, preserving Host and relaying the backend 401 Basic Auth challenge; 502 when the backend is unreachable - GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_* config dev-deploy: - Caddy routes /_gm/* to the gateway - bootstrap admin + stable CSRF key; enable Prometheus /metrics exporters on backend and gateway (forward-compat for a future Prometheus/Grafana stack) Docs: ARCHITECTURE 14.1/16, FUNCTIONAL 10.2.1 (+ru mirror), backend and gateway READMEs, new backend/docs/admin-console.md. Tests: renderer + CSRF unit tests; backend router auth/render/asset/CSRF; gateway classifier, proxy forwarding/Host/401/405/413/429/502.
55 lines
1.7 KiB
Go
55 lines
1.7 KiB
Go
package adminconsole
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"fmt"
|
|
)
|
|
|
|
// CSRF issues and verifies the stateless anti-CSRF token used by the admin
|
|
// console. The token is an HMAC-SHA256 over the authenticated operator's
|
|
// username keyed by a process secret, so a cross-site request cannot forge it
|
|
// without already being able to read an authenticated page. The console is
|
|
// sessionless (HTTP Basic Auth), which makes a stateless, per-operator token
|
|
// the natural fit.
|
|
type CSRF struct {
|
|
key []byte
|
|
}
|
|
|
|
// NewCSRF returns a CSRF signer keyed by key. A shared key across backend
|
|
// replicas lets a form rendered by one replica validate on another; callers
|
|
// that pass a per-process random key (see NewRandomCSRF) accept that forms do
|
|
// not survive a restart or span replicas.
|
|
func NewCSRF(key []byte) *CSRF {
|
|
return &CSRF{key: key}
|
|
}
|
|
|
|
// NewRandomCSRF returns a CSRF signer keyed by a fresh 32-byte random secret.
|
|
// It is the secure default when no shared key is configured.
|
|
func NewRandomCSRF() (*CSRF, error) {
|
|
key := make([]byte, 32)
|
|
if _, err := rand.Read(key); err != nil {
|
|
return nil, fmt.Errorf("generate admin console CSRF key: %w", err)
|
|
}
|
|
return &CSRF{key: key}, nil
|
|
}
|
|
|
|
// Token returns the anti-CSRF token bound to username.
|
|
func (c *CSRF) Token(username string) string {
|
|
mac := hmac.New(sha256.New, c.key)
|
|
mac.Write([]byte(username))
|
|
return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
|
|
}
|
|
|
|
// Verify reports whether token is the valid anti-CSRF token for username. The
|
|
// comparison runs in constant time relative to the token bytes.
|
|
func (c *CSRF) Verify(username, token string) bool {
|
|
if token == "" {
|
|
return false
|
|
}
|
|
expected := c.Token(username)
|
|
return hmac.Equal([]byte(token), []byte(expected))
|
|
}
|