feat(webui): add csrf tokens to all forms processing code

Closes #60
2025-05-01 08:37:28 +02:00 · 2025-05-01 08:37:28 +02:00 · 5d7b540718
commit 5d7b540718
parent 895615ad6e
15 changed files with 71 additions and 2 deletions
--- a/pkg/webui/html/accounts.html
+++ b/pkg/webui/html/accounts.html
@ -9,6 +9,7 @@
  </div>
  {{ if .Page.Session.Data.Account.IsAdmin }}
  <form action="/accounts" enctype="multipart/form-data" method="post">
+    <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
    <fieldset>
      <legend>New User Account</legend>
      <div class="grid-2">
@ -40,6 +41,7 @@
      {{ end }}
      <div style="align-self:stretch; display:flex; justify-content:flex-end;">
        <button class="primary" type="submit" value="submit">Create User Account</button>
+      </div>
    </fieldset>
  </form>
  {{ end }}
--- a/pkg/webui/html/accountsId.html
+++ b/pkg/webui/html/accountsId.html
@ -27,6 +27,7 @@
 {{ if .Page.Session.Data.Account.IsAdmin }}
 <h2>Operations</h2>
 <form action="/accounts/{{ .Account.Id }}" enctype="multipart/form-data" method="post">
+  <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
  <div class="flex-row">
    <fieldset>
      <legend>Edit User Account</legend>
--- a/pkg/webui/html/accountsIdResetPassword.html
+++ b/pkg/webui/html/accountsIdResetPassword.html
@ -8,6 +8,7 @@
 <h1>User Account</h1>
 <h2>Password Reset</h2>
 <form action="/accounts/{{ .Account.Id }}/reset/{{ .Token }}" enctype="multipart/form-data" method="post">
+  <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
  <fieldset>
    <legend>Set Password</legend>
    <p>
--- a/pkg/webui/html/login.html
+++ b/pkg/webui/html/login.html
@ -1,6 +1,7 @@
 {{ define "main" }}
 <div style="display: grid;">
  <form action="/login" method="post" style="align-self:center; justify-self: center;">
+    <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
    <fieldset style="align-items:center; display:flex; flex-direction:column; gap:8px;">
      <legend>Login</legend>
      <div style="align-items:center; display:flex; flex-direction:row; gap:8px;">
--- a/pkg/webui/html/settings.html
+++ b/pkg/webui/html/settings.html
@ -1,6 +1,7 @@
 {{ define "main" }}
 <h1>Settings</h1>
 <form action="/settings" method="post">
+  <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
  <fieldset>
    <legend>Account Settings</legend>
    <div style="align-items:center; display:grid; grid-template-columns:1fr 1fr;">
--- a/pkg/webui/html/states.html
+++ b/pkg/webui/html/states.html
@ -7,6 +7,7 @@
    <p>You also have the option to upload a JSON state file in order to create a new state in TfStated. This is equivalent to using the <code>state push</code> command of OpenTofu/Terraform on a brand new state.</p>
  </div>
  <form action="/states" enctype="multipart/form-data" method="post">
+    <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
    <fieldset>
      <legend>New State</legend>
      <div class="grid-2">
--- a/pkg/webui/html/statesId.html
+++ b/pkg/webui/html/statesId.html
@ -24,6 +24,7 @@
 <h2>Operations</h2>
 <div class="flex-row">
  <form action="/states/{{ .State.Id }}" method="post">
+    <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
    <fieldset>
      <legend>Edit State</legend>
      <div class="flex-row">
@ -60,6 +61,7 @@
    </fieldset>
  </form>
  <form action="/states/{{ .State.Id }}" method="post">
+    <input name="csrf_token" type="hidden" value="{{ .Page.Session.Data.CsrfToken }}">
    <fieldset>
      <legend>Danger Zone</legend>
      <button action="delete" type="submit" value="delete">Delete State</button>