admin/deploy-felhom-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.23.0 — CSRF protection on all browser-facing POST endpoints

Browse Source 
Controller:
- internal/web/csrf.go (new): CsrfProtect middleware, csrfToken/csrfField helpers
- auth.go: per-session CSRF token (csrfToken field, csrfTokenForSession method)
- server.go: executeTemplate wrapper auto-injects CSRFField+CSRFToken
- main.go: wire CsrfProtect on all routes; bump to v0.23.0
- handlers.go, storage_handlers.go, handler_restore.go: executeTemplate
- All templates: CSRFField in forms, meta csrf-token, csrfHeaders() JS helper,
  fetch calls updated; sendBeacon→fetch+keepalive in storage_attach.html

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-02-21 16:38:56 +01:00
parent ade01470d0
commit 02650e3202
20 changed files with 1143 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
controller/internal/web/templates/storage_attach.html
+8 -8
View File
@@ -169,9 +169,9 @@ function scanDisks() {
// Clean up any stale raw mounts from interrupted previous sessions first,
// so the device appears as available in the scan results.
fetch('/api/storage/attach/cancel', {method:'POST'})
fetch('/api/storage/attach/cancel', {method:'POST', headers: csrfHeaders()})
.catch(function(){}) // ignore cancel errors
.then(function() { return fetch('/api/storage/scan', {method:'POST'}); })
.then(function() { return fetch('/api/storage/scan', {method:'POST', headers: csrfHeaders()}); })
.then(function(r){ return r.json(); })
.then(function(data) {
btn.textContent = '🔍 Meghajtók keresése';
@@ -274,7 +274,7 @@ function mountRawAndBrowse(devicePath, fsType) {
fetch('/api/storage/attach/mount-raw', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
body: JSON.stringify({device_path: devicePath})
}).then(function(r){ return r.json(); })
.then(function(data) {
@@ -407,7 +407,7 @@ function createDir() {
fetch('/api/storage/attach/mkdir', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
body: JSON.stringify({path: currentBrowsePath, name: name})
}).then(function(r){ return r.json(); })
.then(function(data) {
@@ -447,7 +447,7 @@ function backToBrowse() {
function cancelAttach() {
// Cleanup raw mount
fetch('/api/storage/attach/cancel', {method:'POST'}).catch(function(){});
fetch('/api/storage/attach/cancel', {method:'POST', headers: csrfHeaders()}).catch(function(){});
window.location.href = '/settings';
}
@@ -482,7 +482,7 @@ document.getElementById('attach-form').addEventListener('submit', function(e) {
fetch('/api/storage/attach', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
headers: Object.assign({'Content-Type': 'application/json'}, csrfHeaders()),
body: JSON.stringify(body)
}).then(function(r){ return r.json(); })
.then(function(data) {
@@ -572,8 +572,8 @@ function escapeAttr(s) {
// Cleanup on page unload (best-effort)
window.addEventListener('beforeunload', function() {
if (rawMountPath && !document.getElementById('wizard-done').style.display !== 'none') {
// Best-effort cleanup via sendBeacon
navigator.sendBeacon('/api/storage/attach/cancel');
// Best-effort cleanup via fetch (sendBeacon can't send CSRF headers)
fetch('/api/storage/attach/cancel', {method:'POST', headers: csrfHeaders(), keepalive: true}).catch(function(){});
}
});
</script>