Fix restricted login access and modernize login page

- Close NK-oqd24q: Fix login access for v3/api - Update web.go to exclude /login/ from CSRF check during initial submission - Modernize web/static/login.html with new CSS and structure - Add web/login_test.go to verify CSRF exclusion - Created NK-ngokc3 for further CSRF enhancements
author: Adam Mathes <adam@adammathes.com> 2026-02-16 08:00:53 -0800
committer: Adam Mathes <adam@adammathes.com> 2026-02-16 08:00:53 -0800
commit: 12eaaf186fce84d069556e11fea85e0be42c1a8b (patch)
tree: 9480a885cecc783897e9f3cb345b5ec1cc0ecd99 /web/web.go
parent: e7516c4124d033332922db91a3dc0e8dc417c2aa (diff)
download: neko-12eaaf186fce84d069556e11fea85e0be42c1a8b.tar.gz
neko-12eaaf186fce84d069556e11fea85e0be42c1a8b.tar.bz2
neko-12eaaf186fce84d069556e11fea85e0be42c1a8b.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/web/web.go b/web/web.go
index a287bb9..d59d308 100644
--- a/web/web.go
+++ b/web/web.go
@@ -379,7 +379,7 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
 			token = cookie.Value
 		}
 
-		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" {
+		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" && r.URL.Path != "/login/" {
 			headerToken := r.Header.Get("X-CSRF-Token")
 			if headerToken == "" || headerToken != token {
 				http.Error(w, "CSRF token mismatch", http.StatusForbidden)
author	Adam Mathes <adam@adammathes.com>	2026-02-16 08:00:53 -0800
committer	Adam Mathes <adam@adammathes.com>	2026-02-16 08:00:53 -0800
commit	12eaaf186fce84d069556e11fea85e0be42c1a8b (patch)
tree	9480a885cecc783897e9f3cb345b5ec1cc0ecd99 /web/web.go
parent	e7516c4124d033332922db91a3dc0e8dc417c2aa (diff)
download	neko-12eaaf186fce84d069556e11fea85e0be42c1a8b.tar.gz neko-12eaaf186fce84d069556e11fea85e0be42c1a8b.tar.bz2 neko-12eaaf186fce84d069556e11fea85e0be42c1a8b.zip