From 12eaaf186fce84d069556e11fea85e0be42c1a8b Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Mon, 16 Feb 2026 08:00:53 -0800
Subject: Fix restricted login access and modernize login page

- Close NK-oqd24q: Fix login access for v3/api
- Update web.go to exclude /login/ from CSRF check during initial submission
- Modernize web/static/login.html with new CSS and structure
- Add web/login_test.go to verify CSRF exclusion
- Created NK-ngokc3 for further CSRF enhancements
---
 web/web.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'web/web.go')

diff --git a/web/web.go b/web/web.go
index a287bb9..d59d308 100644
--- a/web/web.go
+++ b/web/web.go
@@ -379,7 +379,7 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
 			token = cookie.Value
 		}
 
-		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" {
+		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" && r.URL.Path != "/login/" {
 			headerToken := r.Header.Get("X-CSRF-Token")
 			if headerToken == "" || headerToken != token {
 				http.Error(w, "CSRF token mismatch", http.StatusForbidden)
-- 
cgit v1.2.3