From 1f36ec29c83bf5826c90986e071705888c83036c Mon Sep 17 00:00:00 2001 From: Adam Mathes Date: Mon, 16 Feb 2026 08:49:08 -0800 Subject: Fix v3 build process and CSRF login/logout exclusions - Update Makefile to correctly build and copy frontend-vanilla (v3) assets - Fix frontend-vanilla/vite.config.ts to build to its own dist directory - Normalize CSRF check path and exclude /api/logout to fix v3 session clearing - Include latest built assets for v3 --- web/web.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'web/web.go') diff --git a/web/web.go b/web/web.go index d59d308..997a05a 100644 --- a/web/web.go +++ b/web/web.go @@ -112,9 +112,9 @@ func loginHandler(w http.ResponseWriter, r *http.Request) { password := r.FormValue("password") if password == config.Config.DigestPassword { v, _ := bcrypt.GenerateFromPassword([]byte(password), 0) - c := http.Cookie{Name: AuthCookie, Value: string(v), Path: "/", MaxAge: SecondsInAYear, HttpOnly: true} + c := http.Cookie{Name: AuthCookie, Value: string(v), Path: "/", MaxAge: SecondsInAYear, HttpOnly: true, Secure: config.Config.SecureCookies} http.SetCookie(w, &c) - http.Redirect(w, r, "/", http.StatusTemporaryRedirect) + http.Redirect(w, r, "/", http.StatusSeeOther) } else { http.Error(w, "bad login", http.StatusUnauthorized) } @@ -379,7 +379,10 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler { token = cookie.Value } - if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" && r.URL.Path != "/login/" { + path := strings.TrimSuffix(r.URL.Path, "/") + isExcluded := path == "/api/login" || path == "/login" || path == "/api/logout" + + if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && !isExcluded { headerToken := r.Header.Get("X-CSRF-Token") if headerToken == "" || headerToken != token { http.Error(w, "CSRF token mismatch", http.StatusForbidden) -- cgit v1.2.3