auth: authd/templates/simple.gotmpl diff

Enable CSRF protection, add expiration to sessions. Sessions gain a CSRF token, which is passed as a parameter to the login page. The login page now checks for that CSRF token, and logs a CSRF attempt if the token does not match. I also added an expiration to sessions, so they don't last forever. Sessions should be pretty short--we just need to stay logged in for long enough to approve the OAuth request. Everything after that should be cookie based. Finally, I added a configuration parameter to control whether the session cookie should be set to Secure, requiring the use of HTTPS. For production use, this flag is a requirement, but it makes testing extremely difficult, so we need a way to disable it.

     1.1 --- a/authd/templates/simple.gotmpl	Sat Jan 24 10:34:33 2015 -0500
     1.2 +++ b/authd/templates/simple.gotmpl	Wed Jan 28 07:27:32 2015 -0500
     1.3 @@ -28,6 +28,7 @@
     1.4  		<p>{{ .client.Name }} is requesting access to your account. if you grant it, you'll be redirected to {{ .redirectURL }}. Their access will be limited to {{ .scope }}. You are granting access for {{ .profile.Name }}.</p>{{ end }}{{ end }}
     1.5  		<form method="POST">
     1.6  			<input type="submit" name="grant" value="approved">
     1.7 +			<input type="hidden" name="csrftoken" value="{{ .csrftoken }}">
     1.8  		</form>
     1.9  	</body>
    1.10  </html>{{ end }}

auth

auth/authd/templates/simple.gotmpl