Stage 10: admin console & dictionary ops (complaint review, hot-reload, broadcasts) (#11)

backend/internal/server/middleware.go

@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"net/http"
+	"net/url"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -39,3 +40,40 @@ func UserIDFromContext(ctx context.Context) (uuid.UUID, bool) {
 	id, ok := ctx.Value(userIDContextKey).(uuid.UUID)
 	return id, ok
 }
+
+// requireSameOrigin guards the admin console's state-changing requests: it rejects
+// a non-safe request whose Origin (or, failing that, Referer) host does not match
+// the request Host. The gateway authenticates the operator with Basic-Auth in front
+// of /_gm; this same-origin check is the console's CSRF defence, stopping a
+// cross-site form POST from riding the cached credential. Safe methods pass through.
+func requireSameOrigin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		switch c.Request.Method {
+		case http.MethodGet, http.MethodHead, http.MethodOptions:
+			c.Next()
+			return
+		}
+		if !sameOrigin(c.Request) {
+			c.AbortWithStatus(http.StatusForbidden)
+			return
+		}
+		c.Next()
+	}
+}
+
+// sameOrigin reports whether the request's Origin (or, failing that, Referer) host
+// matches the request Host. A state-changing request carrying neither header is
+// rejected.
+func sameOrigin(r *http.Request) bool {
+	for _, h := range []string{r.Header.Get("Origin"), r.Header.Get("Referer")} {
+		if h == "" {
+			continue
+		}
+		u, err := url.Parse(h)
+		if err != nil {
+			return false
+		}
+		return u.Host == r.Host
+	}
+	return false
+}