From d49e896d630a2b9e3c3b1f451f7cd05a9e7b5bba Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Wed, 11 Jul 2018 17:12:04 -0700
Subject: [PATCH] Adding option to disable CSRF protection (#248)

* Adding option to disable CSRF protection

This is useful at least for local development

cc/ @marwan-at-work

* using proper func name
---
 cmd/olympus/actions/app.go |  6 ++++--
 cmd/proxy/actions/app.go   |  6 ++++--
 pkg/config/env/csrf.go     | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 pkg/config/env/csrf.go

diff --git a/cmd/olympus/actions/app.go b/cmd/olympus/actions/app.go
index 3315e429..3fe20e1d 100644
--- a/cmd/olympus/actions/app.go
+++ b/cmd/olympus/actions/app.go
@@ -75,8 +75,10 @@ func App(config *AppConfig) *buffalo.App {
 		initializeTracing(app)
 		// Protect against CSRF attacks. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
 		// Remove to disable this.
-		csrfMiddleware := csrf.New
-		app.Use(csrfMiddleware)
+		if env.EnableCSRFProtection() {
+			csrfMiddleware := csrf.New
+			app.Use(csrfMiddleware)
+		}
 
 		// TODO: parameterize the GoGet getter here.
 		//
diff --git a/cmd/proxy/actions/app.go b/cmd/proxy/actions/app.go
index 62fa67e9..74c98ccf 100644
--- a/cmd/proxy/actions/app.go
+++ b/cmd/proxy/actions/app.go
@@ -79,8 +79,10 @@ func App() (*buffalo.App, error) {
 		initializeTracing(app)
 		// Protect against CSRF attacks. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
 		// Remove to disable this.
-		csrfMiddleware := csrf.New
-		app.Use(csrfMiddleware)
+		if env.EnableCSRFProtection() {
+			csrfMiddleware := csrf.New
+			app.Use(csrfMiddleware)
+		}
 
 		// Wraps each request in a transaction.
 		//  c.Value("tx").(*pop.PopTransaction)
diff --git a/pkg/config/env/csrf.go b/pkg/config/env/csrf.go
new file mode 100644
index 00000000..2bdc07c0
--- /dev/null
+++ b/pkg/config/env/csrf.go
@@ -0,0 +1,17 @@
+package env
+
+import (
+	"strconv"
+
+	"github.com/gobuffalo/envy"
+)
+
+// EnableCSRFProtection determines whether to enable CSRF protection
+func EnableCSRFProtection() bool {
+	boolStr := envy.Get("ATHENS_ENABLE_CSRF_PROTECTION", "false")
+	enable, err := strconv.ParseBool(boolStr)
+	if err != nil {
+		return false
+	}
+	return enable
+}