Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337)

Do a refactoring to the CSRF related code, remove most unnecessary functions. Parse the generated token's issue time, regenerate the token every a few minutes.
2022-04-08 13:21:05 +08:00 · 2022-04-08 13:21:05 +08:00 · 84ceaa98bd
commit 84ceaa98bd
parent 3c3d49899f
10 changed files with 170 additions and 196 deletions
--- a/modules/web/middleware/cookie.go
+++ b/modules/web/middleware/cookie.go
@ -98,17 +98,6 @@ func DeleteRedirectToCookie(resp http.ResponseWriter) {
 		SameSite(setting.SessionConfig.SameSite))
 }

-// DeleteSesionConfigPathCookie convenience function to delete SessionConfigPath cookies consistently
-func DeleteSesionConfigPathCookie(resp http.ResponseWriter, name string) {
-	SetCookie(resp, name, "",
-		-1,
-		setting.SessionConfig.CookiePath,
-		setting.SessionConfig.Domain,
-		setting.SessionConfig.Secure,
-		true,
-		SameSite(setting.SessionConfig.SameSite))
-}
-
 // DeleteCSRFCookie convenience function to delete SessionConfigPath cookies consistently
 func DeleteCSRFCookie(resp http.ResponseWriter) {
 	SetCookie(resp, setting.CSRFCookieName, "",
@ -117,7 +106,7 @@ func DeleteCSRFCookie(resp http.ResponseWriter) {
 		setting.SessionConfig.Domain) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
 }

-// SetCookie set the cookies
+// SetCookie set the cookies. (name, value, lifetime, path, domain, secure, httponly, expires, {sameSite, ...})
 // TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed.
 func SetCookie(resp http.ResponseWriter, name, value string, others ...interface{}) {
 	cookie := http.Cookie{}