Add CSRF protection and auth unit tests

Add CSRF token middleware for state-changing request protection, integrate tokens into templates and HTMX headers, and add unit tests for authentication service and handlers. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
author: Peter Stone <thepeterstone@gmail.com> 2026-01-20 15:18:57 -1000
committer: Peter Stone <thepeterstone@gmail.com> 2026-01-20 15:18:57 -1000
commit: 78e8f597ff28f1b8406f5cfbf934adc22abdf85b (patch)
tree: f3b7dfff2c460e2d8752b61c131e80a73fa6b08d /cmd
parent: 08bbcf18b1207153983261652b4a43a9b36f386c (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go
index 14664fc..58f954d 100644
--- a/cmd/dashboard/main.go
+++ b/cmd/dashboard/main.go
@@ -45,7 +45,8 @@ func main() {
 	sessionManager := scs.New()
 	sessionManager.Store = sqlite3store.New(db.DB())
 	sessionManager.Lifetime = 24 * time.Hour
-	sessionManager.Cookie.Secure = false // Set to true in production with HTTPS
+	sessionManager.Cookie.Persist = true
+	sessionManager.Cookie.Secure = !cfg.Debug
 	sessionManager.Cookie.SameSite = http.SameSiteLaxMode
 
 	// Initialize auth service
@@ -94,6 +95,7 @@ func main() {
 	r.Use(middleware.Recoverer)
 	r.Use(middleware.Timeout(60 * time.Second))
 	r.Use(sessionManager.LoadAndSave) // Session middleware must be applied globally
+	r.Use(authHandlers.Middleware().CSRFProtect) // CSRF protection
 
 	// Public routes (no auth required)
 	r.Get("/login", authHandlers.HandleLoginPage)
author	Peter Stone <thepeterstone@gmail.com>	2026-01-20 15:18:57 -1000
committer	Peter Stone <thepeterstone@gmail.com>	2026-01-20 15:18:57 -1000
commit	78e8f597ff28f1b8406f5cfbf934adc22abdf85b (patch)
tree	f3b7dfff2c460e2d8752b61c131e80a73fa6b08d /cmd
parent	08bbcf18b1207153983261652b4a43a9b36f386c (diff)