v0.23.0 — CSRF protection on all browser-facing POST endpoints

Controller: - internal/web/csrf.go (new): CsrfProtect middleware, csrfToken/csrfField helpers - auth.go: per-session CSRF token (csrfToken field, csrfTokenForSession method) - server.go: executeTemplate wrapper auto-injects CSRFField+CSRFToken - main.go: wire CsrfProtect on all routes; bump to v0.23.0 - handlers.go, storage_handlers.go, handler_restore.go: executeTemplate - All templates: CSRFField in forms, meta csrf-token, csrfHeaders() JS helper, fetch calls updated; sendBeacon→fetch+keepalive in storage_attach.html Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-21 16:38:56 +01:00
parent ade01470d0
commit 02650e3202
20 changed files with 1143 additions and 75 deletions
@@ -0,0 +1,95 @@
+package web
+
+import (
+	"crypto/subtle"
+	"fmt"
+	"html/template"
+	"net/http"
+	"strings"
+)
+
+const csrfFormField = "_csrf"
+const csrfHeaderName = "X-CSRF-Token"
+
+// CsrfProtect validates CSRF tokens on unsafe HTTP methods (POST, PUT, DELETE, PATCH).
+// Safe methods (GET, HEAD, OPTIONS) pass through unchanged.
+//
+// Exempt cases:
+//   - Auth is disabled (no password configured)
+//   - Request has a valid Authorization: Bearer header (API key / hub auth)
+func (s *Server) CsrfProtect(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Safe methods: no CSRF check needed
+		switch r.Method {
+		case http.MethodGet, http.MethodHead, http.MethodOptions:
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// Skip CSRF if auth is disabled (no password set = open access)
+		if !s.authEnabled() {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// Skip CSRF for Bearer-token authenticated requests.
+		// These endpoints also accept session auth, but when a Bearer token
+		// is present, the request is from a script/hub, not a browser.
+		if auth := r.Header.Get("Authorization"); strings.HasPrefix(auth, "Bearer ") {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// Get the session's CSRF token
+		cookie, err := r.Cookie(sessionCookieName)
+		if err != nil {
+			s.csrfReject(w, r, "no session cookie")
+			return
+		}
+		expected := s.csrfTokenForSession(cookie.Value)
+		if expected == "" {
+			s.csrfReject(w, r, "invalid or expired session")
+			return
+		}
+
+		// Check form field first, then header (for fetch/AJAX calls)
+		submitted := r.FormValue(csrfFormField)
+		if submitted == "" {
+			submitted = r.Header.Get(csrfHeaderName)
+		}
+
+		if submitted == "" || subtle.ConstantTimeCompare([]byte(submitted), []byte(expected)) != 1 {
+			s.csrfReject(w, r, "token mismatch")
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+// csrfReject sends a 403 response. Returns JSON for /api/ paths, plain text otherwise.
+func (s *Server) csrfReject(w http.ResponseWriter, r *http.Request, reason string) {
+	s.logger.Printf("[WARN] CSRF rejected: %s %s from %s (%s)", r.Method, r.URL.Path, r.RemoteAddr, reason)
+	if strings.HasPrefix(r.URL.Path, "/api/") {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusForbidden)
+		fmt.Fprint(w, `{"ok":false,"error":"CSRF token missing or invalid"}`)
+		return
+	}
+	http.Error(w, "CSRF token missing or invalid. Please reload the page and try again.", http.StatusForbidden)
+}
+
+// csrfToken returns the CSRF token for the current request's session.
+func (s *Server) csrfToken(r *http.Request) string {
+	cookie, err := r.Cookie(sessionCookieName)
+	if err != nil {
+		return ""
+	}
+	return s.csrfTokenForSession(cookie.Value)
+}
+
+// csrfField returns an HTML hidden input for embedding in forms.
+func (s *Server) csrfField(r *http.Request) template.HTML {
+	token := s.csrfToken(r)
+	return template.HTML(`<input type="hidden" name="` + csrfFormField + `" value="` + template.HTMLEscapeString(token) + `">`)
+}