implement CSRF protection by adding token generation, validation, and cookie management in login flows

2026-03-17 22:36:17 +00:00 · 2026-03-16 20:23:18 -03:00
parent ebbffca21d
commit ca63b87123
8 changed files with 214 additions and 24 deletions
--- a/containers/auth-gateway/auth_gateway/templates/login_password.html
+++ b/containers/auth-gateway/auth_gateway/templates/login_password.html
@@ -7,6 +7,7 @@
    <div class="alert alert-error">{{ error }}</div>
    {% endif %}
    <form method="post" action="{{ external_path }}/login/password" class="stack">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
        <input type="hidden" name="next" value="{{ next }}">
        <label class="field">
            <span>Username</span>
--- a/containers/auth-gateway/auth_gateway/templates/login_totp.html
+++ b/containers/auth-gateway/auth_gateway/templates/login_totp.html
@@ -7,6 +7,7 @@
    <div class="alert alert-error">{{ error }}</div>
    {% endif %}
    <form method="post" action="{{ external_path }}/login/totp" class="stack">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
        <input type="hidden" name="next" value="{{ next }}">
        <label class="field">
            <span>Verification code</span>
--- a/containers/auth-gateway/auth_gateway/templates/session.html
+++ b/containers/auth-gateway/auth_gateway/templates/session.html
@@ -41,6 +41,7 @@
    </table>
    <hr>
    <form method="post" action="{{ external_path }}/logout">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
        <input type="hidden" name="next" value="/">
        <button class="btn btn-danger" type="submit">Sign out</button>
    </form>