Fix v3 build process and CSRF login/logout exclusions

- Update Makefile to correctly build and copy frontend-vanilla (v3) assets
- Fix frontend-vanilla/vite.config.ts to build to its own dist directory
- Normalize CSRF check path and exclude /api/logout to fix v3 session clearing
- Include latest built assets for v3

1 files changed, 6 insertions, 3 deletions

diff --git a/web/web.go b/web/web.go
index d59d308..997a05a 100644
--- a/web/web.go
+++ b/web/web.go
@@ -112,9 +112,9 @@ func loginHandler(w http.ResponseWriter, r *http.Request) {
 		password := r.FormValue("password")
 		if password == config.Config.DigestPassword {
 			v, _ := bcrypt.GenerateFromPassword([]byte(password), 0)
-			c := http.Cookie{Name: AuthCookie, Value: string(v), Path: "/", MaxAge: SecondsInAYear, HttpOnly: true}
+			c := http.Cookie{Name: AuthCookie, Value: string(v), Path: "/", MaxAge: SecondsInAYear, HttpOnly: true, Secure: config.Config.SecureCookies}
 			http.SetCookie(w, &c)
-			http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+			http.Redirect(w, r, "/", http.StatusSeeOther)
 		} else {
 			http.Error(w, "bad login", http.StatusUnauthorized)
 		}
@@ -379,7 +379,10 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
 			token = cookie.Value
 		}
 
-		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" && r.URL.Path != "/login/" {
+		path := strings.TrimSuffix(r.URL.Path, "/")
+		isExcluded := path == "/api/login" || path == "/login" || path == "/api/logout"
+
+		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && !isExcluded {
 			headerToken := r.Header.Get("X-CSRF-Token")
 			if headerToken == "" || headerToken != token {
 				http.Error(w, "CSRF token mismatch", http.StatusForbidden)