Add CSRF protection for cookie-authenticated requests

2026-03-23 16:20:26 +01:00
parent a3348e8795
commit fae7f80913
8 changed files with 139 additions and 17 deletions
--- a/templates/admin.html
+++ b/templates/admin.html
@@ -150,11 +150,13 @@
                <td>
                    <div class="btn-group">
                        {{if not .Deleted}}
-                        <form action="/api/files/admin/delete/{{.ID}}" method="GET" onsubmit="return openConfirm(event, 'TERMINATE', 'Kill this file? It will be removed from active storage.')">
+                        <form action="/api/files/admin/delete/{{.ID}}" method="POST" onsubmit="return openConfirm(event, 'TERMINATE', 'Kill this file? It will be removed from active storage.')">
+                            <input type="hidden" name="_csrf" class="csrf-field">
                            <button type="submit" style="background: #ffcccc;">Terminate</button>
                        </form>
                        {{end}}
-                        <form action="/api/files/admin/delete/fr/{{.ID}}" method="GET" onsubmit="return openConfirm(event, 'FULL_WIPE', 'Wiping file and purging record? This is a permanent database scrub.')">
+                        <form action="/api/files/admin/delete/fr/{{.ID}}" method="POST" onsubmit="return openConfirm(event, 'FULL_WIPE', 'Wiping file and purging record? This is a permanent database scrub.')">
+                            <input type="hidden" name="_csrf" class="csrf-field">
                            <button type="submit">Full_Wipe</button>
                        </form>
                    </div>
@@ -202,6 +204,13 @@
        currentForm = null;
    }

+    // Fill CSRF hidden inputs from cookie (double-submit pattern)
+    (function fillCSRF() {
+        const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
+        const tok = m ? m.pop() : '';
+        document.querySelectorAll('.csrf-field').forEach(el => el.value = tok);
+    })();
+
    document.getElementById('modal-confirm-btn').addEventListener('click', () => {
        if (currentForm) {
            currentForm.submit();
--- a/templates/changePassword.html
+++ b/templates/changePassword.html
@@ -258,9 +258,12 @@
        }

        try {
+            const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
+            const csrf = m ? m.pop() : '';
+
            const res = await fetch('/api/user/change-password', {
                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
+                headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrf },
                body: JSON.stringify({
                    old_password: current,
                    new_password: nv
--- a/templates/login.html
+++ b/templates/login.html
@@ -127,10 +127,14 @@
        const password = document.getElementById("password").value;

        try {
+            const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
+            const csrf = m ? m.pop() : '';
+
            const res = await fetch("/api/auth/login", {
                method: "POST",
                headers: {
-                    "Content-Type": "application/json"
+                    "Content-Type": "application/json",
+                    "X-CSRF-Token": csrf
                },
                body: JSON.stringify({
                    username: username,