v0.23.0 — CSRF protection on all browser-facing POST endpoints

Controller: - internal/web/csrf.go (new): CsrfProtect middleware, csrfToken/csrfField helpers - auth.go: per-session CSRF token (csrfToken field, csrfTokenForSession method) - server.go: executeTemplate wrapper auto-injects CSRFField+CSRFToken - main.go: wire CsrfProtect on all routes; bump to v0.23.0 - handlers.go, storage_handlers.go, handler_restore.go: executeTemplate - All templates: CSRFField in forms, meta csrf-token, csrfHeaders() JS helper, fetch calls updated; sendBeacon→fetch+keepalive in storage_attach.html Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-21 16:38:56 +01:00
parent ade01470d0
commit 02650e3202
20 changed files with 1143 additions and 75 deletions
@@ -6,6 +6,8 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>{{.Title}} — Felhom.eu</title>
    <link rel="stylesheet" href="/static/style.css">
+    <meta name="csrf-token" content="{{.CSRFToken}}">
+    <script>function csrfHeaders(){var el=document.querySelector('meta[name="csrf-token"]');return el?{'X-CSRF-Token':el.content}:{};}</script>
 </head>
 <body>
    <nav class="sidebar">
@@ -75,7 +77,7 @@
        try {
            const resp = await fetch('/api/sync', {
                method: 'POST',
-                headers: {'Content-Type': 'application/json'}
+                headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders())
            });
            const data = await resp.json();
            if (toast) {
@@ -108,7 +110,7 @@
        try {
            const resp = await fetch('/api/stacks/' + name + '/' + action, {
                method: 'POST',
-                headers: {'Content-Type': 'application/json'}
+                headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders())
            });
            const data = await resp.json();
            if (!data.ok) {
@@ -174,7 +176,7 @@
        try {
            var resp = await fetch('/api/stacks/' + name, {
                method: 'DELETE',
-                headers: {'Content-Type': 'application/json'},
+                headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
                body: JSON.stringify({remove_hdd_data: removeHDD})
            });
            var data = await resp.json();
@@ -286,7 +288,7 @@
        try {
            var resp = await fetch('/api/stacks/' + name + '/remove', {
                method: 'POST',
-                headers: {'Content-Type': 'application/json'},
+                headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
                body: JSON.stringify({remove_hdd_data: removeHDD, remove_backups: removeBackups})
            });
            var data = await resp.json();