Add CSRF middleware implementation and update go.mod/go.sum for dependencies

internal/middleware/csrf.go

@@ -0,0 +1,213 @@
+package middleware
+
+import (
+	"html/template"
+	"net/http"
+
+	"github.com/gorilla/csrf"
+)
+
+// CSRFConfig defines the configuration options for CSRF middleware
+type CSRFConfig struct {
+	// Secret is the 32-byte secret key used to generate tokens
+	Secret []byte
+
+	// Cookie defines cookie options
+	Cookie struct {
+		// Name of the CSRF cookie
+		Name string
+
+		// Path where the cookie is valid
+		Path string
+
+		// Domain where the cookie is valid
+		Domain string
+
+		// MaxAge in seconds for the CSRF cookie
+		MaxAge int
+
+		// Secure sets the Secure flag on the cookie
+		Secure bool
+
+		// HttpOnly sets the HttpOnly flag on the cookie
+		HttpOnly bool
+
+		// SameSite sets the SameSite attribute on the cookie
+		SameSite csrf.SameSiteMode
+	}
+
+	// ErrorHandler to call when CSRF validation fails
+	ErrorHandler http.Handler
+
+	// FieldName is the name of the hidden input field used by frontend
+	FieldName string
+
+	// RequestHeader is the name of header used in AJAX requests
+	RequestHeader string
+
+	// TrustedOrigins lists additional origins that are trusted
+	TrustedOrigins []string
+
+	// Path defines URL paths where CSRF protection applies
+	// If empty, all paths are protected
+	Path string
+
+	// Ignore functions determine if a request should skip CSRF protection
+	Ignore []func(r *http.Request) bool
+}
+
+// DefaultCSRFConfig returns a default configuration for CSRF middleware
+func DefaultCSRFConfig() CSRFConfig {
+	config := CSRFConfig{
+		Secret:        nil, // Must be set by the application
+		FieldName:     "gorilla.csrf.Token",
+		RequestHeader: "X-CSRF-Token",
+		Path:          "",
+		Ignore:        []func(r *http.Request) bool{},
+	}
+
+	config.Cookie.Name = "_csrf"
+	config.Cookie.Path = "/"
+	config.Cookie.MaxAge = 86400 // 24 hours
+	config.Cookie.Secure = true
+	config.Cookie.HttpOnly = true
+	config.Cookie.SameSite = csrf.SameSiteStrictMode
+
+	return config
+}
+
+// CSRF middleware provides Cross-Site Request Forgery protection
+func CSRF(config CSRFConfig) Middleware {
+	options := []csrf.Option{
+		csrf.CookieName(config.Cookie.Name),
+		csrf.Path(config.Cookie.Path),
+		csrf.MaxAge(config.Cookie.MaxAge),
+		csrf.FieldName(config.FieldName),
+		csrf.RequestHeader(config.RequestHeader),
+		csrf.Secure(config.Cookie.Secure),
+		csrf.HttpOnly(config.Cookie.HttpOnly),
+		csrf.SameSite(config.Cookie.SameSite),
+	}
+
+	if config.Cookie.Domain != "" {
+		options = append(options, csrf.Domain(config.Cookie.Domain))
+	}
+
+	if config.ErrorHandler != nil {
+		options = append(options, csrf.ErrorHandler(config.ErrorHandler))
+	}
+
+	if len(config.TrustedOrigins) > 0 {
+		options = append(options, csrf.TrustedOrigins(config.TrustedOrigins))
+	}
+
+	// Create CSRF protection middleware
+	csrfHandler := csrf.Protect(config.Secret, options...)
+
+	return func(next http.Handler) http.Handler {
+		// Handle protection path
+		if config.Path != "" {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.URL.Path == config.Path || (len(r.URL.Path) >= len(config.Path) && 
+					r.URL.Path[:len(config.Path)] == config.Path) {
+					// Check if the request should be ignored
+					for _, ignoreFunc := range config.Ignore {
+						if ignoreFunc(r) {
+							next.ServeHTTP(w, r)
+							return
+						}
+					}
+					csrfHandler(next).ServeHTTP(w, r)
+					return
+				}
+				next.ServeHTTP(w, r)
+			})
+		}
+
+		// Handle ignore functions
+		if len(config.Ignore) > 0 {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				for _, ignoreFunc := range config.Ignore {
+					if ignoreFunc(r) {
+						next.ServeHTTP(w, r)
+						return
+					}
+				}
+				csrfHandler(next).ServeHTTP(w, r)
+			})
+		}
+
+		// Apply CSRF to all routes if no path or ignores specified
+		return csrfHandler(next)
+	}
+}
+
+// CSRFToken gets the CSRF token from the request context
+func CSRFToken(r *http.Request) string {
+	return csrf.Token(r)
+}
+
+// CSRFTemplateField gets the hidden input field containing the CSRF token
+func CSRFTemplateField(r *http.Request) template.HTML {
+	return csrf.TemplateField(r)
+}
+
+/* Usage example:
+
+1. Create a secure key for CSRF protection:
+   
+   key := make([]byte, 32)
+   _, err := rand.Read(key)
+   if err != nil {
+       log.Fatal(err)
+   }
+   
+2. Create CSRF middleware with default configuration:
+   
+   csrfConfig := middleware.DefaultCSRFConfig()
+   csrfConfig.Secret = key
+   csrfMiddleware := middleware.CSRF(csrfConfig)
+   
+3. Add the middleware to your routing (example with standard http):
+   
+   handler := middleware.CreateStack(
+       middleware.RequestID(),
+       middleware.Logging(logger),
+       middleware.CORS(corsConfig),
+       middleware.CSRF(csrfConfig), // Add CSRF protection
+   )(router)
+   
+4. In your HTML templates, include the CSRF token in forms:
+   
+   <form method="post" action="/protected">
+       {{ .CSRFField }}
+       <input type="text" name="username">
+       <button type="submit">Submit</button>
+   </form>
+   
+   Where .CSRFField is provided to the template as:
+   
+   data := map[string]interface{}{
+       "CSRFField": middleware.CSRFTemplateField(r),
+   }
+   
+5. For AJAX requests, include the CSRF token in the request header:
+   
+   // JavaScript example
+   fetch('/api/protected', {
+       method: 'POST',
+       headers: {
+           'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]').getAttribute('content'),
+       },
+       body: JSON.stringify(data)
+   })
+   
+   // Include meta tag in your HTML:
+   // <meta name="csrf-token" content="{{ .CSRFToken }}">
+   
+   Where .CSRFToken is provided to the template as:
+   
+   data := map[string]interface{}{
+       "CSRFToken": middleware.CSRFToken(r),
+   }
+*/