fixed critical security issues
This commit is contained in:
@@ -22,17 +22,20 @@ import (
|
||||
"github.com/labstack/echo/v4"
|
||||
)
|
||||
|
||||
func RegisterAdminRoutes(e *echo.Echo, userHandler *user.Handler, companyHandler *company.Handler, customerHandler *customer.Handler, tenderHandler *tender.TenderHandler, feedbackHandler *feedback.Handler, tenderApprovalHandler *tender_approval.Handler, inquiryHandler *inquiry.Handler, categoryHandler *company_category.Handler, flagHandler *assets.Handler, notificationHandler *notification.NotificationHandler, contactHandler *contact.Handler, cmsHandler *cms.Handler, kanbanHandler *kanban.Handler, fileStoreHandler *filestore.Handler, dashboardHandler *dashboard.Handler, xssPolicy *security.XSSPolicy) {
|
||||
adminV1 := e.Group("/admin/v1")
|
||||
|
||||
// Add CSP middleware to admin routes (stricter policy)
|
||||
// SetupCSPSecurity registers global CSP middleware and the CSP report endpoint once.
|
||||
func SetupCSPSecurity(e *echo.Echo) {
|
||||
adminCSPConfig := security.DefaultCSPConfig()
|
||||
adminCSPConfig.ScriptSrc = []string{"'self'"} // No unsafe-inline for admin
|
||||
adminCSPConfig.StyleSrc = []string{"'self'"} // No unsafe-inline for admin
|
||||
e.Use(security.CSPMiddleware(adminCSPConfig))
|
||||
|
||||
// Add CSP report endpoint
|
||||
publicCSPConfig := security.DefaultCSPConfig()
|
||||
|
||||
e.Use(security.CSPMiddlewareForPaths("/admin", adminCSPConfig, "/api/v1", publicCSPConfig))
|
||||
e.POST("/api/v1/csp-report", security.CSPReportHandler)
|
||||
}
|
||||
|
||||
func RegisterAdminRoutes(e *echo.Echo, userHandler *user.Handler, companyHandler *company.Handler, customerHandler *customer.Handler, tenderHandler *tender.TenderHandler, feedbackHandler *feedback.Handler, tenderApprovalHandler *tender_approval.Handler, inquiryHandler *inquiry.Handler, categoryHandler *company_category.Handler, flagHandler *assets.Handler, notificationHandler *notification.NotificationHandler, contactHandler *contact.Handler, cmsHandler *cms.Handler, kanbanHandler *kanban.Handler, fileStoreHandler *filestore.Handler, dashboardHandler *dashboard.Handler, xssPolicy *security.XSSPolicy) {
|
||||
adminV1 := e.Group("/admin/v1")
|
||||
|
||||
// Admin Users Routes
|
||||
adminUsersGP := adminV1.Group("/users")
|
||||
@@ -221,13 +224,6 @@ func RegisterAdminRoutes(e *echo.Echo, userHandler *user.Handler, companyHandler
|
||||
func RegisterPublicRoutes(e *echo.Echo, customerHandler *customer.Handler, tenderHandler *tender.TenderHandler, feedbackHandler *feedback.Handler, tenderApprovalHandler *tender_approval.Handler, companyHandler *company.Handler, inquiryHandler *inquiry.Handler, categoryHandler *company_category.Handler, flagHandler *assets.Handler, notificationHandler *notification.NotificationHandler, contactHandler *contact.Handler, cmsHandler *cms.Handler, fileStoreHandler *filestore.Handler, xssPolicy *security.XSSPolicy) {
|
||||
v1 := e.Group("/api/v1")
|
||||
|
||||
// Add CSP middleware to public routes
|
||||
cspConfig := security.DefaultCSPConfig()
|
||||
e.Use(security.CSPMiddleware(cspConfig))
|
||||
|
||||
// Add CSP report endpoint
|
||||
e.POST("/api/v1/csp-report", security.CSPReportHandler)
|
||||
|
||||
customerGP := v1.Group("/profile")
|
||||
{
|
||||
customerGP.POST("/login", customerHandler.Login)
|
||||
|
||||
Reference in New Issue
Block a user