Remove csrf

The csrf implementation was bad, making it hard to debug and maintain

hero.go

@@ -13,7 +13,7 @@ import (
 
 	// load mysql driver.
 	_ "github.com/go-sql-driver/mysql"
-	"github.com/gorilla/csrf"
+	"github.com/gorilla/mux"
 	"github.com/jinzhu/gorm"
 
 	// loag postgres driver
@@ -248,7 +248,7 @@ type Server struct {
 	view  View
 	log   Logger
 	store *Store
-	mux   *http.ServeMux
+	mux   *mux.Router
 }
 
 //NewServer creates a new *Server.
@@ -277,21 +277,19 @@ func NewServer(cfg *Config, gen TokenGenerator, view View) *Server {
 		gen:   gen,
 		view:  view,
 		log:   NewLogger(),
-		mux:   http.NewServeMux(),
+		mux:   mux.NewRouter(),
 		store: DefaultStore(q.DB),
 	}
 	return s.Init()
 }
 
 // Init registers the url routes. This uses *http.ServerMux as its router.
 func (s *Server) Init() *Server {
-	// csrf protection
-	protect := csrf.Protect([]byte(s.cfg.CsrfSecret))
 
 	// normal stuffs
 	s.mux.HandleFunc(HomePath, s.Home)
-	s.mux.Handle(RegisterPath, protect(http.HandlerFunc(s.Register)))
-	s.mux.Handle(LoginPath, protect(http.HandlerFunc(s.Login)))
+	s.mux.HandleFunc(RegisterPath, s.Register)
+	s.mux.HandleFunc(LoginPath, s.Login)
 	s.mux.HandleFunc(LogoutPath, s.Logout)
 	s.mux.HandleFunc(ProfilePath, s.Profile)
 	s.mux.HandleFunc(ClientsPath, s.Client)
@@ -858,7 +856,6 @@ func (s *Server) Register(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data[csrf.TemplateTag] = csrf.TemplateField(r)
 	err := s.view.Render(w, s.cfg.RegisterTemplate, data)
 	if err != nil {
 		s.log.Println(err)
@@ -887,7 +884,6 @@ func (s *Server) Login(w http.ResponseWriter, r *http.Request) {
 		// loggin failed
 		return
 	}
-	data[csrf.TemplateTag] = csrf.TemplateField(r)
 	err := s.view.Render(w, s.cfg.LoginTemplate, data)
 	if err != nil {
 		s.log.Println(err)

hero_test.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/PuerkitoBio/goquery"
 	"github.com/antonholmquist/jason"
 )
 
@@ -55,22 +54,9 @@ func TestServer_Register(t *testing.T) {
 	}
 	w := httptest.NewRecorder()
 	testServer.ServeHTTP(w, req)
-	doc, err := goquery.NewDocumentFromReader(w.Body)
-	if err != nil {
-		t.Error(err)
-	}
-	tokField := doc.Find("input").First().Get(0)
-	var tok string
-	for _, v := range tokField.Attr {
-		if v.Key == "value" {
-			tok = v.Val
-		}
-	}
 	if w.Code != http.StatusOK {
 		t.Errorf("expected  %d got %d", http.StatusFound, w.Code)
 	}
-	regVars.Set("gorilla.csrf.Token", tok)
-
 	cookies := readSetCookies(w.HeaderMap)
 	req, err = http.NewRequest("POST", RegisterPath, strings.NewReader(regVars.Encode()))
 	if err != nil {
@@ -98,26 +84,12 @@ func TestServer_Login(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Errorf("expected  %d got %d", http.StatusFound, w.Code)
 	}
-	doc, err := goquery.NewDocumentFromReader(w.Body)
-	if err != nil {
-		t.Error(err)
-	}
-	tokField := doc.Find("input").First().Get(0)
-	var tok string
-	for _, v := range tokField.Attr {
-		if v.Key == "value" {
-			tok = v.Val
-		}
-	}
-
 	logVars := url.Values{
 		loginParams.username: {genericUser.UserName},
 		loginParams.password: {genericUser.Password},
 	}
-	logVars.Set("gorilla.csrf.Token", tok)
 	cookies := readSetCookies(w.HeaderMap)
-
-	req, err = http.NewRequest("POST", LoginPath, strings.NewReader(logVars.Encode()))
+	req, err := http.NewRequest("POST", LoginPath, strings.NewReader(logVars.Encode()))
 	if err != nil {
 		t.Error(err)
 	}

views/forms/login.html

@@ -1,5 +1,4 @@
 <form method="post" action="{{.Action}}">
-{{ .csrfField }}
   <p><input type="text" name="login_username" value="" placeholder="Username or Email"></p>
   <p><input type="password" name="login_password" value="" placeholder="Password"></p>
   <p class="remember_me">

views/forms/register.html

@@ -1,5 +1,4 @@
 <form method="post" action="/register">
-  {{ .csrfField }}
   <p><input type="text" name="register_username" value="" placeholder="Username"></p>
   <p><input type="password" name="register_password" value="" placeholder="Password"></p>
   <p><input type="password" name="register_confirm" value="" placeholder="Cofirm Password"></p>