Fixes security issue & Adds support to sent configuration via email (#83)

2025-07-22 19:33:32 +03:00 · 2021-08-08 20:55:59 +03:00 · 2021-08-08 20:55:59 +03:00 · 1711530dda
commit 1711530dda
parent 7edcd1b80c
13 changed files with 335 additions and 76 deletions
--- a/handler/session.go
+++ b/handler/session.go
@ -9,22 +9,32 @@ import (
 	"github.com/ngoduykhanh/wireguard-ui/util"
 )

-// validSession to redirect user to the login page if they are not authenticated or session expired.
-func validSession(c echo.Context) {
-	if !util.DisableLogin {
-		sess, _ := session.Get("session", c)
-		cookie, err := c.Cookie("session_token")
-		if err != nil || sess.Values["session_token"] != cookie.Value {
+func ValidSession(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		if !isValidSession(c) {
 			nextURL := c.Request().URL
-			if nextURL != nil {
-				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("/login?next=%s", c.Request().URL))
+			if nextURL != nil && c.Request().Method == http.MethodGet {
+				return c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("/login?next=%s", c.Request().URL))
 			} else {
-				c.Redirect(http.StatusTemporaryRedirect, "/login")
+				return c.Redirect(http.StatusTemporaryRedirect, "/login")
 			}
 		}
+		return next(c)
 	}
 }

+func isValidSession(c echo.Context) bool {
+	if util.DisableLogin {
+		return true
+	}
+	sess, _ := session.Get("session", c)
+	cookie, err := c.Cookie("session_token")
+	if err != nil || sess.Values["session_token"] != cookie.Value {
+		return false
+	}
+	return true
+}
+
 // currentUser to get username of logged in user
 func currentUser(c echo.Context) string {
 	if util.DisableLogin {