From f74c84df0319604a89165b2556edf4cf1666a882 Mon Sep 17 00:00:00 2001
From: F04C <israeldarrel01@gmail.com>
Date: Wed, 18 Feb 2026 10:33:42 +0800
Subject: [PATCH] fixed csrf

---
 handlers/access_log.go  | 13 ++++++-------
 handlers/google_auth.go |  4 +++-
 middleware/csrf.go      |  9 +++++++++
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/handlers/access_log.go b/handlers/access_log.go
index b9d89fc..c74e74d 100644
--- a/handlers/access_log.go
+++ b/handlers/access_log.go
@@ -7,17 +7,15 @@ import (
 	"net/http"
 )
 
-func accessLog(w http.ResponseWriter, r *http.Request, user *string, actType int, fieldUpdated interface{}) {
+func accessLog(r *http.Request, user *string, actType int, fieldUpdated interface{}) error {
 	email, err := helper.ExtractEmailFromToken(r.Header.Get(Authorization))
 	if err != nil {
-		helper.RespondWithError(w, http.StatusUnauthorized, UnauthorizedAccess)
-		return
+		return fmt.Errorf("%s", UnauthorizedAccess)
 	}
 	userID, err := services.GetUserIDFromEmail(email)
 	if err != nil {
 		helper.LogError(err, ErrorExtractingMailFromToken)
-		helper.RespondWithError(w, http.StatusBadRequest, ErrorExtractingMailFromToken)
-		return
+		return fmt.Errorf("%s", ErrorExtractingMailFromToken)
 	}
 	ipAddress := getIPAddress(r)
 	err = helper.LogEvent(userID, user, ipAddress, actType, fieldUpdated)
@@ -26,7 +24,8 @@ func accessLog(w http.ResponseWriter, r *http.Request, user *string, actType int
 		if err == nil {
 			errMsg = "Perform Action"
 		}
-		helper.RespondWithError(w, http.StatusInternalServerError, fmt.Sprintf("Failed to %s", errMsg))
-		return
+		return fmt.Errorf("Failed to %s", errMsg)
 	}
+
+	return nil
 }
diff --git a/handlers/google_auth.go b/handlers/google_auth.go
index e32698b..af305f3 100644
--- a/handlers/google_auth.go
+++ b/handlers/google_auth.go
@@ -633,7 +633,9 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) {
 		helper.LogError(err, "Failed to parse JWT token during logout")
 	}
 
-	accessLog(w, r, nil, 18, nil)
+	if err := accessLog(r, nil, 18, nil); err != nil {
+		helper.LogError(err, "Failed to write access log during logout")
+	}
 
 	clearRefreshTokenCookie(w)
 
diff --git a/middleware/csrf.go b/middleware/csrf.go
index 82515db..a6c1ec4 100644
--- a/middleware/csrf.go
+++ b/middleware/csrf.go
@@ -6,6 +6,8 @@ import (
 	"encoding/base64"
 	"log"
 	"net/http"
+	"net/url"
+	"strings"
 	"sync"
 	"time"
 )
@@ -80,6 +82,7 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 	})
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		log.Print("Request headers: ", r.Header)
 		if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
 			// For GET requests, generate and set a new CSRF token
 			token, err := generateCSRFToken()
@@ -113,6 +116,12 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
+		if strings.Contains(tokenFromHeader, "%") {
+			if decoded, err := url.QueryUnescape(tokenFromHeader); err == nil {
+				tokenFromHeader = decoded
+			}
+		}
+
 		if !validateToken(tokenFromHeader) {
 			helper.RespondWithError(w, http.StatusForbidden, "Invalid or expired CSRF token")
 			return