politeiawww: Add login to auth router.

This diff adds the login route to the auth router so that it is CSRF
protected.

politeiawww/userwww.go

@@ -797,9 +797,6 @@ func (p *politeiawww) setUserWWWRoutes() {
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteResendVerification, p.handleResendVerification,
 		permissionPublic)
-	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
-		www.RouteLogin, p.handleLogin,
-		permissionPublic)
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteLogout, p.handleLogout,
 		permissionPublic)
@@ -816,6 +813,10 @@ func (p *politeiawww) setUserWWWRoutes() {
 		www.RouteUsers, p.handleUsers,
 		permissionPublic)
 
+	// Setup the login route.
+	p.addLoginRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
+		www.RouteLogin, p.handleLogin)
+
 	// Routes that require being logged in.
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteSecret, p.handleSecret,
@@ -869,9 +870,6 @@ func (p *politeiawww) setUserWWWRoutes() {
 // setCMSUserWWWRoutes setsup the user routes for cms mode
 func (p *politeiawww) setCMSUserWWWRoutes() {
 	// Public routes
-	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
-		www.RouteLogin, p.handleLogin,
-		permissionPublic)
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteLogout, p.handleLogout,
 		permissionPublic)
@@ -885,6 +883,10 @@ func (p *politeiawww) setCMSUserWWWRoutes() {
 		cms.RouteRegisterUser, p.handleRegisterUser,
 		permissionPublic)
 
+	// Setup the login route.
+	p.addLoginRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
+		www.RouteLogin, p.handleLogin)
+
 	// Routes that require being logged in.
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteSecret, p.handleSecret,

politeiawww/www.go

@@ -266,8 +266,13 @@ func RespondWithError(w http.ResponseWriter, r *http.Request, userHttpCode int,
 // addRoute sets up a handler for a specific method+route. If method is not
 // specified it adds a websocket.
 func (p *politeiawww) addRoute(method string, routeVersion string, route string, handler http.HandlerFunc, perm permission) {
-	fullRoute := routeVersion + route
+	// Sanity check. The login route is special. It must be registered
+	// using the addLoginRoute() function.
+	if strings.Contains(route, "login") {
+		panic("you cannot use this function to register the login route")
+	}
 
+	fullRoute := routeVersion + route
 	switch perm {
 	case permissionAdmin:
 		handler = p.isLoggedInAsAdmin(handler)
@@ -292,6 +297,20 @@ func (p *politeiawww) addRoute(method string, routeVersion string, route string,
 	}
 }
 
+// addLoginRoute sets up a handler for the login route. The login route is
+// special. It is the only public route that requires CSRF protection, so we
+// use a separate function to register it.
+func (p *politeiawww) addLoginRoute(method string, routeVersion string, route string, handler http.HandlerFunc) {
+	// Sanity check
+	if !strings.Contains(route, "login") {
+		panic("you cannot use this function to register non login routes")
+	}
+
+	// Add login route to the auth router
+	fullRoute := routeVersion + route
+	p.auth.StrictSlash(true).HandleFunc(fullRoute, handler).Methods(method)
+}
+
 // getPluginInventory returns the politeiad plugin inventory. If a politeiad
 // connection cannot be made, the call will be retried every 5 seconds for up
 // to 1000 tries.