Full code example here: https://github.com/crosbymichael/not-dockers-ui/commit/15d133324d22e84e3c2839d19b112a96ced4dd66
I've wrapped the handler with CSRF.Protect(), Angular is finding the _gorilla_csrf cookie and passing it back as the X-CSRF-Token header, but I always receive invalid token errors on non-GET requests:
Forbidden - CSRF token invalid
Am I trying to use the gorilla/csrf incorrectly?
Edit: Simplified example of what I'm trying to do:
var (
mux = http.NewServeMux()
fileHandler = http.FileServer(http.Dir(""))
h http.Handler
CSRF = csrf.Protect(
[]byte("32-byte-long-auth-key"),
csrf.HttpOnly(false),
csrf.Secure(false),
)
)
u, err := url.Parse("http://host/api")
if err != nil {
log.Fatal(err)
}
h = httputil.NewSingleHostReverseProxy(u)
mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", h))
mux.Handle("/", fileHandler)
handler := CSRF(mux)
if err := http.ListenAndServe(*addr, handler); err != nil {
log.Fatal(err)
}
We serve static files from the server directly, and API requests pass through to an external backend. The app is an Angular SPA that often has multiple requests in flight to the API, but typically only has one non-GET request active at any time.