From 2e459c911031669080bc110059cf2b4b19c5379d Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Mon, 16 Feb 2026 14:02:48 -0800
Subject: Enhance CSRF protection for login page

Login form now includes a CSRF token from the cookie as a hidden form
field. The CSRF middleware accepts tokens from either the X-CSRF-Token
header (for JS clients) or the csrf_token form field (for HTML forms).
Removed /login from the CSRF exclusion list so login POSTs are now
validated.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 web/static/login.html | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'web/static/login.html')

diff --git a/web/static/login.html b/web/static/login.html
index c7d0a03..c469528 100644
--- a/web/static/login.html
+++ b/web/static/login.html
@@ -115,7 +115,8 @@
 <body>
     <div class="login-card">
         <h1>Welcome Back</h1>
-        <form action="/login/" method="post">
+        <form action="/login/" method="post" id="login-form">
+            <input type="hidden" name="csrf_token" id="csrf_token" value="">
             <div class="input-group">
                 <label for="username">Username</label>
                 <input type="text" id="username" name="username" required autofocus autocomplete="username">
@@ -126,6 +127,10 @@
             </div>
             <button type="submit">Sign In</button>
         </form>
+        <script>
+            var match = document.cookie.split('; ').find(function(row) { return row.startsWith('csrf_token='); });
+            if (match) document.getElementById('csrf_token').value = match.split('=')[1];
+        </script>
         <div class="footer">
             Neko RSS Reader
         </div>
-- 
cgit v1.2.3