From 78e8f597ff28f1b8406f5cfbf934adc22abdf85b Mon Sep 17 00:00:00 2001
From: Peter Stone <thepeterstone@gmail.com>
Date: Tue, 20 Jan 2026 15:18:57 -1000
Subject: Add CSRF protection and auth unit tests

Add CSRF token middleware for state-changing request protection,
integrate tokens into templates and HTMX headers, and add unit
tests for authentication service and handlers.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 cmd/dashboard/main.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go
index 14664fc..58f954d 100644
--- a/cmd/dashboard/main.go
+++ b/cmd/dashboard/main.go
@@ -45,7 +45,8 @@ func main() {
 	sessionManager := scs.New()
 	sessionManager.Store = sqlite3store.New(db.DB())
 	sessionManager.Lifetime = 24 * time.Hour
-	sessionManager.Cookie.Secure = false // Set to true in production with HTTPS
+	sessionManager.Cookie.Persist = true
+	sessionManager.Cookie.Secure = !cfg.Debug
 	sessionManager.Cookie.SameSite = http.SameSiteLaxMode
 
 	// Initialize auth service
@@ -94,6 +95,7 @@ func main() {
 	r.Use(middleware.Recoverer)
 	r.Use(middleware.Timeout(60 * time.Second))
 	r.Use(sessionManager.LoadAndSave) // Session middleware must be applied globally
+	r.Use(authHandlers.Middleware().CSRFProtect) // CSRF protection
 
 	// Public routes (no auth required)
 	r.Get("/login", authHandlers.HandleLoginPage)
-- 
cgit v1.2.3