fix(auth): add CSRF protection and secure cookie settings

adnaan · claude · adnaan · commit 0ef7011a146c · 2025-12-30T09:02:21.000+01:00
Address Copilot PR review comments: - Add Origin/Referer validation to HandlePasswordLogin for CSRF protection - Update SetSession to use Secure: true and SameSite: Strict for auth cookies - Update tests to verify secure cookie settings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/internal/kits/system/multi/templates/auth/handler.go.tmpl b/internal/kits/system/multi/templates/auth/handler.go.tmpl
@@ -597,6 +597,26 @@ func (c *{{.StructName}}Controller) HandlePasswordLogin(w http.ResponseWriter, r
 		return
 	}
 
+	// Basic CSRF protection: validate Origin/Referer header
+	origin := r.Header.Get("Origin")
+	referer := r.Header.Get("Referer")
+	host := r.Host
+	if origin != "" {
+		// Check Origin header matches host
+		if !strings.Contains(origin, host) && !strings.HasPrefix(origin, "http://localhost") && !strings.HasPrefix(origin, "http://127.0.0.1") {
+			log.Printf("CSRF protection: Origin mismatch (origin=%s, host=%s)", origin, host)
+			http.Redirect(w, r, "/auth?error=invalid_form", http.StatusSeeOther)
+			return
+		}
+	} else if referer != "" {
+		// Fallback to Referer if Origin not present
+		if !strings.Contains(referer, host) && !strings.HasPrefix(referer, "http://localhost") && !strings.HasPrefix(referer, "http://127.0.0.1") {
+			log.Printf("CSRF protection: Referer mismatch (referer=%s, host=%s)", referer, host)
+			http.Redirect(w, r, "/auth?error=invalid_form", http.StatusSeeOther)
+			return
+		}
+	}
+
 	// Parse form data
 	if err := r.ParseForm(); err != nil {
 		http.Redirect(w, r, "/auth?error=invalid_form", http.StatusSeeOther)
diff --git a/pkg/cookie/cookie.go b/pkg/cookie/cookie.go
@@ -96,8 +96,12 @@ func ClearLiveTemplateSession(w http.ResponseWriter) {
 	})
 }
 
-// SetSession sets a session cookie with appropriate security settings.
+// SetSession sets a session cookie with strict security settings.
 // The maxAgeDays parameter specifies how long the session should last.
+// Uses HttpOnly, Secure, and SameSite=Strict for authentication cookies.
+//
+// Note: Secure=true requires HTTPS. For localhost HTTP development,
+// browsers may still accept the cookie on localhost domains.
 //
 // Example:
 //
@@ -109,7 +113,8 @@ func SetSession(w http.ResponseWriter, name, value string, maxAgeDays int) {
 		Path:     "/",
 		MaxAge:   maxAgeDays * 24 * 60 * 60,
 		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
 	})
 }
 
diff --git a/pkg/cookie/cookie_test.go b/pkg/cookie/cookie_test.go
@@ -110,6 +110,12 @@ func TestSetSession(t *testing.T) {
 	if c.MaxAge != expectedMaxAge {
 		t.Errorf("expected MaxAge %d, got %d", expectedMaxAge, c.MaxAge)
 	}
+	if !c.Secure {
+		t.Error("expected Secure to be true")
+	}
+	if c.SameSite != http.SameSiteStrictMode {
+		t.Errorf("expected SameSite %v, got %v", http.SameSiteStrictMode, c.SameSite)
+	}
 }
 
 func TestGet(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,12 @@ func TestSetSession(t *testing.T) {`
`110`	`110`	`if c.MaxAge != expectedMaxAge {`
`111`	`111`	`t.Errorf("expected MaxAge %d, got %d", expectedMaxAge, c.MaxAge)`
`112`	`112`	`}`
	`113`	`+ if !c.Secure {`
	`114`	`+ t.Error("expected Secure to be true")`
	`115`	`+ }`
	`116`	`+ if c.SameSite != http.SameSiteStrictMode {`
	`117`	`+ t.Errorf("expected SameSite %v, got %v", http.SameSiteStrictMode, c.SameSite)`
	`118`	`+ }`
`113`	`119`	`}`
`114`	`120`
`115`	`121`	`func TestGet(t *testing.T) {`