fixed csrf

2026-02-18 10:33:42 +08:00
parent 7020e16a97
commit f74c84df03
3 changed files with 18 additions and 8 deletions
@@ -6,6 +6,8 @@ import (
 	"encoding/base64"
 	"log"
 	"net/http"
+	"net/url"
+	"strings"
 	"sync"
 	"time"
 )
@@ -80,6 +82,7 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 	})

 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		log.Print("Request headers: ", r.Header)
 		if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
 			// For GET requests, generate and set a new CSRF token
 			token, err := generateCSRFToken()
@@ -113,6 +116,12 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 			return
 		}

+		if strings.Contains(tokenFromHeader, "%") {
+			if decoded, err := url.QueryUnescape(tokenFromHeader); err == nil {
+				tokenFromHeader = decoded
+			}
+		}
+
 		if !validateToken(tokenFromHeader) {
 			helper.RespondWithError(w, http.StatusForbidden, "Invalid or expired CSRF token")
 			return