politeiawww: Add login to auth router. (#1482)

This diff adds the login route to the auth router so that it is CSRF
protected.

Co-authored-by: lukebp <[email protected]>

politeiawww/userwww.go

@@ -740,9 +740,6 @@ func (p *politeiawww) setUserWWWRoutes() {
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteResendVerification, p.handleResendVerification,
 		permissionPublic)
-	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
-		www.RouteLogin, p.handleLogin,
-		permissionPublic)
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteLogout, p.handleLogout,
 		permissionPublic)
@@ -759,6 +756,10 @@ func (p *politeiawww) setUserWWWRoutes() {
 		www.RouteUsers, p.handleUsers,
 		permissionPublic)
 
+	// Setup the login route.
+	p.addLoginRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
+		www.RouteLogin, p.handleLogin)
+
 	// Routes that require being logged in.
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteSecret, p.handleSecret,
@@ -803,9 +804,6 @@ func (p *politeiawww) setUserWWWRoutes() {
 // setCMSUserWWWRoutes setsup the user routes for cms mode
 func (p *politeiawww) setCMSUserWWWRoutes() {
 	// Public routes
-	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
-		www.RouteLogin, p.handleLogin,
-		permissionPublic)
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteLogout, p.handleLogout,
 		permissionPublic)
@@ -819,6 +817,10 @@ func (p *politeiawww) setCMSUserWWWRoutes() {
 		cms.RouteRegisterUser, p.handleRegisterUser,
 		permissionPublic)
 
+	// Setup the login route.
+	p.addLoginRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
+		www.RouteLogin, p.handleLogin)
+
 	// Routes that require being logged in.
 	p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute,
 		www.RouteSecret, p.handleSecret,

politeiawww/www.go

@@ -187,8 +187,13 @@ func RespondWithError(w http.ResponseWriter, r *http.Request, userHttpCode int,
 // specified it adds a websocket. The routeVersion should be in the format
 // "/v1".
 func (p *politeiawww) addRoute(method string, routeVersion string, route string, handler http.HandlerFunc, perm permission) {
-	fullRoute := routeVersion + route
+	// Sanity check. The login route is special. It must be registered
+	// using the addLoginRoute() function.
+	if strings.Contains(route, "login") {
+		panic("you cannot use this function to register the login route")
+	}
 
+	fullRoute := routeVersion + route
 	switch perm {
 	case permissionAdmin:
 		handler = p.isLoggedInAsAdmin(handler)
@@ -213,6 +218,20 @@ func (p *politeiawww) addRoute(method string, routeVersion string, route string,
 	}
 }
 
+// addLoginRoute sets up a handler for the login route. The login route is
+// special. It is the only public route that requires CSRF protection, so we
+// use a separate function to register it.
+func (p *politeiawww) addLoginRoute(method string, routeVersion string, route string, handler http.HandlerFunc) {
+	// Sanity check
+	if !strings.Contains(route, "login") {
+		panic("you cannot use this function to register non login routes")
+	}
+
+	// Add login route to the auth router
+	fullRoute := routeVersion + route
+	p.auth.StrictSlash(true).HandleFunc(fullRoute, handler).Methods(method)
+}
+
 // makeRequest makes an http request to the method and route provided,
 // serializing the provided object as the request body.
 //