httpd: validate reference also for CSRF token in headers

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 22:30:56 +03:00 · 2024-09-14 21:45:25 +02:00
parent 14cabda5c2
commit 6896d2bfb1
4 changed files with 23 additions and 2 deletions
--- a/internal/httpd/middleware.go
+++ b/internal/httpd/middleware.go
@@ -343,6 +343,10 @@ func (s *httpdServer) verifyCSRFHeader(next http.Handler) http.Handler {
 			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
 			return
 		}
+		if err := checkCSRFTokenRef(r, token); err != nil {
+			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
+			return
+		}

 		next.ServeHTTP(w, r)
 	})