Add CSRF protection for cookie-authenticated requests

cmd/server/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"ResendIt/internal/api/middleware"
 	"ResendIt/internal/auth"
 	"ResendIt/internal/db"
 	"ResendIt/internal/file"
@@ -38,6 +39,9 @@ func main() {
 
 	r := gin.Default()
 
+	// CSRF: set a token cookie for browsers and enforce it on unsafe /api calls.
+	r.Use(middleware.EnsureCSRFCookie())
+
 	r.MaxMultipartMemory = 10 << 30
 	r.SetFuncMap(template.FuncMap{
 		"add":       func(a, b int) int { return a + b },
@@ -74,6 +78,7 @@ func main() {
 	createAdminUser(userService)
 
 	apiRoute := r.Group("/api")
+	apiRoute.Use(middleware.CSRFMiddleware())
 
 	auth.RegisterRoutes(apiRoute, authHandler)
 	user.RegisterRoutes(apiRoute, userHandler)

internal/api/middleware/csrf.go

@@ -0,0 +1,98 @@
+package middleware
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+func randomToken(n int) (string, error) {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+// EnsureCSRFCookie sets a csrf_token cookie if it's missing.
+//
+// Uses SameSite=Strict to reduce cross-site cookie sending.
+// HttpOnly must be false so browser JS can read it and send it back in a header.
+func EnsureCSRFCookie() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if tok, err := c.Cookie("csrf_token"); err != nil || tok == "" {
+			if tok, err := randomToken(32); err == nil {
+				secure := os.Getenv("USE_HTTPS") == "true"
+				http.SetCookie(c.Writer, &http.Cookie{
+					Name:     "csrf_token",
+					Value:    tok,
+					Path:     "/",
+					Secure:   secure,
+					HttpOnly: false,
+					SameSite: http.SameSiteStrictMode,
+				})
+			}
+		}
+		c.Next()
+	}
+}
+
+// CSRFMiddleware enforces CSRF checks on unsafe methods for cookie-authenticated requests.
+//
+// - Skips safe methods (GET/HEAD/OPTIONS).
+// - Skips requests using Authorization: Bearer (non-cookie API clients).
+// - Enforces only when auth_token cookie is present (browser session).
+//
+// Validation uses the double-submit cookie pattern:
+// cookie csrf_token must match X-CSRF-Token header OR _csrf form field.
+func CSRFMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		m := c.Request.Method
+		if m == http.MethodGet || m == http.MethodHead || m == http.MethodOptions {
+			c.Next()
+			return
+		}
+
+		if strings.HasPrefix(c.GetHeader("Authorization"), "Bearer ") {
+			c.Next()
+			return
+		}
+
+		// Only enforce when cookie auth is in play
+		if _, err := c.Cookie("auth_token"); err != nil {
+			c.Next()
+			return
+		}
+
+		// Extra hardening: basic Origin check when present.
+		if origin := c.GetHeader("Origin"); origin != "" {
+			host := c.Request.Host
+			if !strings.Contains(origin, host) {
+				c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "csrf origin blocked"})
+				return
+			}
+		}
+
+		cookieTok, err := c.Cookie("csrf_token")
+		if err != nil || cookieTok == "" {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "missing csrf cookie"})
+			return
+		}
+
+		reqTok := c.GetHeader("X-CSRF-Token")
+		if reqTok == "" {
+			reqTok = c.PostForm("_csrf")
+		}
+
+		if reqTok == "" || reqTok != cookieTok {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "bad csrf token"})
+			return
+		}
+
+		c.Next()
+	}
+}

internal/auth/handler.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"net/http"
 	"os"
 
 	"github.com/gin-gonic/gin"
@@ -49,15 +50,17 @@ func (h *Handler) Login(c *gin.Context) {
 
 	isSecure := os.Getenv("USE_HTTPS") == "true"
 
-	c.SetCookie(
-		"auth_token",
-		token,
-		3600*24,
-		"/",
-		os.Getenv("DOMAIN"),
-		isSecure,
-		true, // httpOnly (IMPORTANT)
-	)
+	// Use http.SetCookie so we can set SameSite.
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     "auth_token",
+		Value:    token,
+		Path:     "/",
+		Domain:   os.Getenv("DOMAIN"),
+		MaxAge:   3600 * 24,
+		Secure:   isSecure,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	})
 
 	c.JSON(200, gin.H{"token": token})
 }

internal/file/handlers.go

@@ -168,7 +168,7 @@ func (h *Handler) AdminDelete(c *gin.Context) {
 		return
 	}
 
-	c.Redirect(301, "/admin")
+	c.Redirect(303, "/admin")
 }
 
 func (h *Handler) AdminForceDelete(c *gin.Context) {
@@ -185,7 +185,7 @@ func (h *Handler) AdminForceDelete(c *gin.Context) {
 		return
 	}
 
-	c.Redirect(301, "/admin")
+	c.Redirect(303, "/admin")
 }
 
 func (h *Handler) Import(c *gin.Context) {

internal/file/routes.go

@@ -24,8 +24,8 @@ func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
 
 	adminRoutes.GET("/download/:id", h.AdminGet)
 
-	adminRoutes.GET("/delete/:id", h.AdminDelete)
-	adminRoutes.GET("/delete/fr/:id", h.AdminForceDelete)
+	adminRoutes.POST("/delete/:id", h.AdminDelete)
+	adminRoutes.POST("/delete/fr/:id", h.AdminForceDelete)
 
 	adminRoutes.POST("/import", h.Import)
 	adminRoutes.GET("/export", h.Export)

templates/admin.html

@@ -150,11 +150,13 @@
                 <td>
                     <div class="btn-group">
                         {{if not .Deleted}}
-                        <form action="/api/files/admin/delete/{{.ID}}" method="GET" onsubmit="return openConfirm(event, 'TERMINATE', 'Kill this file? It will be removed from active storage.')">
+                        <form action="/api/files/admin/delete/{{.ID}}" method="POST" onsubmit="return openConfirm(event, 'TERMINATE', 'Kill this file? It will be removed from active storage.')">
+                            <input type="hidden" name="_csrf" class="csrf-field">
                             <button type="submit" style="background: #ffcccc;">Terminate</button>
                         </form>
                         {{end}}
-                        <form action="/api/files/admin/delete/fr/{{.ID}}" method="GET" onsubmit="return openConfirm(event, 'FULL_WIPE', 'Wiping file and purging record? This is a permanent database scrub.')">
+                        <form action="/api/files/admin/delete/fr/{{.ID}}" method="POST" onsubmit="return openConfirm(event, 'FULL_WIPE', 'Wiping file and purging record? This is a permanent database scrub.')">
+                            <input type="hidden" name="_csrf" class="csrf-field">
                             <button type="submit">Full_Wipe</button>
                         </form>
                     </div>
@@ -202,6 +204,13 @@
         currentForm = null;
     }
 
+    // Fill CSRF hidden inputs from cookie (double-submit pattern)
+    (function fillCSRF() {
+        const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
+        const tok = m ? m.pop() : '';
+        document.querySelectorAll('.csrf-field').forEach(el => el.value = tok);
+    })();
+
     document.getElementById('modal-confirm-btn').addEventListener('click', () => {
         if (currentForm) {
             currentForm.submit();

templates/changePassword.html

@@ -258,9 +258,12 @@
         }
 
         try {
+            const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
+            const csrf = m ? m.pop() : '';
+
             const res = await fetch('/api/user/change-password', {
                 method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
+                headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrf },
                 body: JSON.stringify({
                     old_password: current,
                     new_password: nv

templates/login.html

@@ -127,10 +127,14 @@
         const password = document.getElementById("password").value;
 
         try {
+            const m = document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)');
+            const csrf = m ? m.pop() : '';
+
             const res = await fetch("/api/auth/login", {
                 method: "POST",
                 headers: {
-                    "Content-Type": "application/json"
+                    "Content-Type": "application/json",
+                    "X-CSRF-Token": csrf
                 },
                 body: JSON.stringify({
                     username: username,