From 2e459c911031669080bc110059cf2b4b19c5379d Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Mon, 16 Feb 2026 14:02:48 -0800
Subject: Enhance CSRF protection for login page

Login form now includes a CSRF token from the cookie as a hidden form
field. The CSRF middleware accepts tokens from either the X-CSRF-Token
header (for JS clients) or the csrf_token form field (for HTML forms).
Removed /login from the CSRF exclusion list so login POSTs are now
validated.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 web/web.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'web/web.go')

diff --git a/web/web.go b/web/web.go
index 997a05a..bb11d60 100644
--- a/web/web.go
+++ b/web/web.go
@@ -380,11 +380,15 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
 		}
 
 		path := strings.TrimSuffix(r.URL.Path, "/")
-		isExcluded := path == "/api/login" || path == "/login" || path == "/api/logout"
+		isExcluded := path == "/api/login" || path == "/api/logout"
 
 		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && !isExcluded {
-			headerToken := r.Header.Get("X-CSRF-Token")
-			if headerToken == "" || headerToken != token {
+			// Accept token from header (JS clients) or form field (HTML forms)
+			submittedToken := r.Header.Get("X-CSRF-Token")
+			if submittedToken == "" {
+				submittedToken = r.FormValue("csrf_token")
+			}
+			if submittedToken == "" || submittedToken != token {
 				http.Error(w, "CSRF token mismatch", http.StatusForbidden)
 				return
 			}
-- 
cgit v1.2.3