CSRF: support older token-based CSRF protection handler that want to render token into template

aldas · aldas · commit 037dec4a69bf · 2026-01-25T20:21:45.000+02:00
diff --git a/middleware/csrf.go b/middleware/csrf.go
@@ -13,6 +13,11 @@ import (
 	"github.com/labstack/echo/v5"
 )
 
+// CSRFUsingSecFetchSite is a context key for CSRF middleware what is set when the client browser is using Sec-Fetch-Site
+// header and the request is deemed safe.
+// It is a dummy token value that can be used to render CSRF token for form by handlers.
+const CSRFUsingSecFetchSite = "_echo_csrf_using_sec_fetch_site_"
+
 // CSRFConfig defines the config for CSRF middleware.
 type CSRFConfig struct {
 	// Skipper defines a function to skip middleware.
@@ -277,6 +282,11 @@ func (config CSRFConfig) checkSecFetchSiteRequest(c *echo.Context) (bool, error)
 	}
 
 	if isSafe {
+		// This helps handlers that support older token-based CSRF protection.
+		// We know that the client is using a browser that supports Sec-Fetch-Site header, so when the form is submitted in
+		// the future with this dummy token value it is OK. Although the request is safe, the template rendered by the
+		// handler may need this value to render CSRF token for form.
+		c.Set(config.ContextKey, CSRFUsingSecFetchSite)
 		return true, nil
 	}
 	// we are here when request is state-changing and `cross-site` or `same-site`
diff --git a/middleware/csrf_test.go b/middleware/csrf_test.go
@@ -238,12 +238,14 @@ func TestCSRFWithConfig(t *testing.T) {
 		expectEmptyBody      bool
 		expectMWError        string
 		expectCookieContains string
+		expectTokenInContext string
 		expectErr            string
 	}{
 		{
 			name:                 "ok, GET",
 			whenMethod:           http.MethodGet,
 			expectCookieContains: "_csrf",
+			expectTokenInContext: "TESTTOKEN",
 		},
 		{
 			name: "ok, POST valid token",
@@ -253,6 +255,7 @@ func TestCSRFWithConfig(t *testing.T) {
 			},
 			whenMethod:           http.MethodPost,
 			expectCookieContains: "_csrf",
+			expectTokenInContext: token,
 		},
 		{
 			name:            "nok, POST without token",
@@ -281,13 +284,23 @@ func TestCSRFWithConfig(t *testing.T) {
 			},
 			whenMethod:           http.MethodGet,
 			expectCookieContains: "_csrf",
+			expectTokenInContext: "TESTTOKEN",
 		},
 		{
 			name: "ok, unsafe method + SecFetchSite=same-origin passes",
 			whenHeaders: map[string]string{
 				echo.HeaderSecFetchSite: "same-origin",
 			},
-			whenMethod: http.MethodPost,
+			whenMethod:           http.MethodPost,
+			expectTokenInContext: "_echo_csrf_using_sec_fetch_site_",
+		},
+		{
+			name: "ok, safe method + SecFetchSite=same-origin passes",
+			whenHeaders: map[string]string{
+				echo.HeaderSecFetchSite: "same-origin",
+			},
+			whenMethod:           http.MethodGet,
+			expectTokenInContext: "_echo_csrf_using_sec_fetch_site_",
 		},
 		{
 			name: "nok, unsafe method + SecFetchSite=same-cross blocked",
@@ -315,6 +328,12 @@ func TestCSRFWithConfig(t *testing.T) {
 			if tc.givenConfig != nil {
 				config = *tc.givenConfig
 			}
+			if config.Generator == nil {
+				config.Generator = func() string {
+					return "TESTTOKEN"
+				}
+			}
+
 			mw, err := config.ToMiddleware()
 			if tc.expectMWError != "" {
 				assert.EqualError(t, err, tc.expectMWError)
@@ -323,6 +342,8 @@ func TestCSRFWithConfig(t *testing.T) {
 			assert.NoError(t, err)
 
 			h := mw(func(c *echo.Context) error {
+				cToken := c.Get(cmp.Or(config.ContextKey, DefaultCSRFConfig.ContextKey))
+				assert.Equal(t, tc.expectTokenInContext, cToken)
 				return c.String(http.StatusOK, "test")
 			})
 
