Admin UI: replace gin with mux (#8420)

* Replace admin gin router with mux

* Update layout_templ.go

* Harden admin handlers

* Add login CSRF handling

* Fix filer copy naming conflict

* address comments

* address comments

weed/admin/dash/csrf.go

@@ -4,10 +4,10 @@ import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/hex"
+	"fmt"
 	"net/http"
 
-	"github.com/gin-contrib/sessions"
-	"github.com/gin-gonic/gin"
+	"github.com/gorilla/sessions"
 )
 
 const sessionCSRFTokenKey = "csrf_token"
@@ -20,41 +20,77 @@ func generateCSRFToken() (string, error) {
 	return hex.EncodeToString(tokenBytes), nil
 }
 
-func getOrCreateSessionCSRFToken(session sessions.Session) (string, error) {
-	if existing, ok := session.Get(sessionCSRFTokenKey).(string); ok && existing != "" {
+func getOrCreateSessionCSRFToken(session *sessions.Session, r *http.Request, w http.ResponseWriter) (string, error) {
+	if existing, ok := session.Values[sessionCSRFTokenKey].(string); ok && existing != "" {
 		return existing, nil
 	}
 	token, err := generateCSRFToken()
 	if err != nil {
 		return "", err
 	}
-	session.Set(sessionCSRFTokenKey, token)
-	if err := session.Save(); err != nil {
+	session.Values[sessionCSRFTokenKey] = token
+	if err := session.Save(r, w); err != nil {
 		return "", err
 	}
 	return token, nil
 }
 
-func requireSessionCSRFToken(c *gin.Context) bool {
-	session := sessions.Default(c)
-	if session.Get("authenticated") != true {
+func requireSessionCSRFToken(w http.ResponseWriter, r *http.Request) bool {
+	expectedToken := CSRFTokenFromContext(r.Context())
+	username := UsernameFromContext(r.Context())
+	if expectedToken == "" {
 		// Admin UI can run without auth; in that mode CSRF token checks are not applicable.
-		return true
-	}
-
-	expectedToken, ok := session.Get(sessionCSRFTokenKey).(string)
-	if !ok || expectedToken == "" {
-		c.JSON(http.StatusForbidden, gin.H{"error": "missing CSRF session token"})
+		if username == "" {
+			return true
+		}
+		writeJSONError(w, http.StatusForbidden, "missing CSRF session token")
 		return false
 	}
 
-	providedToken := c.GetHeader("X-CSRF-Token")
-	if providedToken == "" {
-		providedToken = c.PostForm("csrf_token")
+	providedToken, err := getProvidedCSRFToken(r)
+	if err != nil {
+		writeJSONError(w, http.StatusBadRequest, "Failed to parse form: "+err.Error())
+		return false
 	}
 	if providedToken == "" || subtle.ConstantTimeCompare([]byte(expectedToken), []byte(providedToken)) != 1 {
-		c.JSON(http.StatusForbidden, gin.H{"error": "invalid CSRF token"})
+		writeJSONError(w, http.StatusForbidden, "invalid CSRF token")
 		return false
 	}
 	return true
 }
+
+func getProvidedCSRFToken(r *http.Request) (string, error) {
+	providedToken := r.Header.Get("X-CSRF-Token")
+	if providedToken != "" {
+		return providedToken, nil
+	}
+	if err := r.ParseForm(); err != nil {
+		return "", err
+	}
+	return r.FormValue("csrf_token"), nil
+}
+
+func EnsureSessionCSRFToken(session *sessions.Session, r *http.Request, w http.ResponseWriter) (string, error) {
+	if session == nil {
+		return "", fmt.Errorf("session is nil")
+	}
+	return getOrCreateSessionCSRFToken(session, r, w)
+}
+
+func ValidateSessionCSRFToken(session *sessions.Session, r *http.Request) error {
+	if session == nil {
+		return fmt.Errorf("session is nil")
+	}
+	expectedToken, _ := session.Values[sessionCSRFTokenKey].(string)
+	providedToken, err := getProvidedCSRFToken(r)
+	if err != nil {
+		return fmt.Errorf("failed to read CSRF token: %w", err)
+	}
+	if expectedToken == "" {
+		return fmt.Errorf("missing session CSRF token")
+	}
+	if providedToken == "" || subtle.ConstantTimeCompare([]byte(expectedToken), []byte(providedToken)) != 1 {
+		return fmt.Errorf("invalid CSRF token")
+	}
+	return nil
+}