REVEL CSRF: _csrftoken missing from ViewArgs on GET requests

[ptman]

GET method is in allowedMethods, so it should never result in a CSRF failure, right?

But this can happen if you come from a link or redirect from another origin as ViewArgs is only populated in the end of the filter if certain conditions are met.

Both https://github.com/justinas/nosurf and https://github.com/cbonello/revel-csrf handle this differently, either populating ViewArgs early or short-circuiting allowedMethods.

[yuki2006]

I'm not a security expert, but I don't think this if is not necessary...

https://github.com/revel/modules/blob/master/csrf/app/csrf.go#L81

[entereal]

I got the same issue on my site. Access from Google-search directly to the login-form page, Invalid CSRF error has occurred since c.ViewArgs["_csrftoken"] was empty.

[notzippy]

@entereal Yes you will get an invalid token if the page is loaded directly from another domain. Your login link should do a redirect to a CSRF page. like

Main Page -> Link to Login
Login Page -> Redirect to secure CSRF login page
Secure Login 

The URLs could be

yourdomain.com/ -> yourdomain.com/login (returns https://revel.github.io/manual/results.html#Redirect) ->    yourdomain.com/login/secure

In google will only cache the link yourdomain.com/login and that can safely redirect to `yourdomain.com/login/secure.

In case someone does try to directly load yourdomain.com/login/secure you can add a filter to check the referer and if the referer wasn't yourdomain.com/login then redirect the response to that page first