CSRF Cookie fixes

- Only set the cookie if it doesn't exist
- Always mark it secure (it was previously getting re-sent as not)
- Check the value against the header even if there was no value (so that
a request that is missing the cookie but should have had one fails).

pkg/schemaserver/server/validate.go

@@ -54,9 +54,13 @@ func CheckCSRF(apiOp *types.APIRequest) error {
 		}
 
 		cookie = &http.Cookie{
-			Name:  csrfCookie,
-			Value: hex.EncodeToString(bytes),
+			Name:   csrfCookie,
+			Value:  hex.EncodeToString(bytes),
+			Path:   "/",
+			Secure: true,
 		}
+
+		http.SetCookie(apiContext.Response, cookie)
 	} else if err != nil {
 		return httperror.NewAPIError(validation.InvalidCSRFToken, "Failed to parse cookies")
 	} else if apiOp.Method != http.MethodGet {
@@ -72,7 +76,5 @@ func CheckCSRF(apiOp *types.APIRequest) error {
 		}
 	}
 
-	cookie.Path = "/"
-	http.SetCookie(apiOp.Response, cookie)
 	return nil
 }

pkg/schemaserver/subscribe/handler.go

@@ -4,10 +4,9 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/rancher/wrangler/pkg/schemas/validation"
-
 	"github.com/gorilla/websocket"
 	"github.com/rancher/steve/pkg/schemaserver/types"
+	"github.com/rancher/wrangler/pkg/schemas/validation"
 	"github.com/sirupsen/logrus"
 )