Adding option to disable CSRF protection (#248)

* Adding option to disable CSRF protection

This is useful at least for local development

cc/ @marwan-at-work

* using proper func name

cmd/olympus/actions/app.go

@@ -75,8 +75,10 @@ func App(config *AppConfig) *buffalo.App {
 		initializeTracing(app)
 		// Protect against CSRF attacks. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
 		// Remove to disable this.
-		csrfMiddleware := csrf.New
-		app.Use(csrfMiddleware)
+		if env.EnableCSRFProtection() {
+			csrfMiddleware := csrf.New
+			app.Use(csrfMiddleware)
+		}
 
 		// TODO: parameterize the GoGet getter here.
 		//

cmd/proxy/actions/app.go

@@ -79,8 +79,10 @@ func App() (*buffalo.App, error) {
 		initializeTracing(app)
 		// Protect against CSRF attacks. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
 		// Remove to disable this.
-		csrfMiddleware := csrf.New
-		app.Use(csrfMiddleware)
+		if env.EnableCSRFProtection() {
+			csrfMiddleware := csrf.New
+			app.Use(csrfMiddleware)
+		}
 
 		// Wraps each request in a transaction.
 		//  c.Value("tx").(*pop.PopTransaction)

pkg/config/env/csrf.go

@@ -0,0 +1,17 @@
+package env
+
+import (
+	"strconv"
+
+	"github.com/gobuffalo/envy"
+)
+
+// EnableCSRFProtection determines whether to enable CSRF protection
+func EnableCSRFProtection() bool {
+	boolStr := envy.Get("ATHENS_ENABLE_CSRF_PROTECTION", "false")
+	enable, err := strconv.ParseBool(boolStr)
+	if err != nil {
+		return false
+	}
+	return enable
+}