1 files changed, 13 insertions, 4 deletions

diff --git a/genesungswuensche.go b/genesungswuensche.go
index dc526b6..68fd81b 100644
--- a/genesungswuensche.go
+++ b/genesungswuensche.go
@@ -924,7 +924,7 @@ func (s *Server) markReadHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	fmt.Println(r.Header.Get("X-Forwarded-For"),
-		"mark read success from",
+		"mark read from",
 		sourcePath, "to", destPath)
 
 	w.Header().Set("Content-Type", "application/json")
@@ -992,7 +992,7 @@ func (s *Server) markUnreadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	fmt.Println(r.Header.Get("X-Forwarded-For"),
-		"unread success from",
+		"mark unread from",
 		sourcePath, "to", destPath)
 
 	w.Header().Set("Content-Type", "application/json")
@@ -1011,7 +1011,16 @@ func auth(handler http.HandlerFunc) http.HandlerFunc {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
+		handler(w, r)
+	}
+}
 
+func referer(handler http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Referer() != "https://www.codeblau.de/genesung/" {
+			http.Error(w, "CSRF!?", http.StatusBadRequest)
+			return
+		}
 		handler(w, r)
 	}
 }
@@ -1034,8 +1043,8 @@ func main() {
 	}
 
 	http.HandleFunc("/", auth(server.indexHandler))
-	http.HandleFunc("/genesung/api/mark-read", auth(server.markReadHandler))
-	http.HandleFunc("/genesung/api/mark-unread", auth(server.markUnreadHandler))
+	http.HandleFunc("/genesung/api/mark-read", auth(referer(server.markReadHandler)))
+	http.HandleFunc("/genesung/api/mark-unread", auth(referer(server.markUnreadHandler)))
 
 	fmt.Printf("Starting server on http://localhost:%s\n", port)
 	fmt.Printf("Serving emails from: %s\n", maildirPath)