From 4a0af136d55a13ba29cf4dd0b8d8cddea8bde6a7 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 15:53:31 -0800
Subject: [PATCH] Add CSRF protection to admin panel

Fixes #14

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 cmd/server/main.go                            |  1 +
 internal/handlers/admin/routes.go             | 53 +++++++++++--------
 web/templates/pages/admin/repos/edit.html     |  1 +
 web/templates/pages/admin/repos/new.html      |  1 +
 web/templates/pages/admin/tickets/detail.html |  1 +
 web/templates/pages/admin/users/detail.html   |  1 +
 web/templates/pages/admin/users/new.html      |  1 +
 web/templates/pages/admin/users/pending.html  |  2 +
 8 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 1f264ed..06685cb 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -76,6 +76,7 @@ func main() {
 		DB:            db,
 		Renderer:      renderer,
 		Auth:          authService,
+		SessionStore:  sessionStore,
 		EmailClient:   emailClient,
 		ForgejoClient: forgejoClient,
 		Config:        cfg,
diff --git a/internal/handlers/admin/routes.go b/internal/handlers/admin/routes.go
index 1785be9..0d8d0cd 100644
--- a/internal/handlers/admin/routes.go
+++ b/internal/handlers/admin/routes.go
@@ -1,6 +1,8 @@
 package admin
 
 import (
+	"strings"
+
 	"github.com/gin-gonic/gin"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
 	"github.com/mattnite/forgejo-tickets/internal/config"
@@ -15,6 +17,7 @@ type Dependencies struct {
 	DB            *gorm.DB
 	Renderer      *templates.Renderer
 	Auth          *auth.Service
+	SessionStore  *auth.PGStore
 	EmailClient   *email.Client
 	ForgejoClient *forgejo.Client
 	Config        *config.Config
@@ -30,30 +33,38 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	tsAuth := &TailscaleAuth{allowedUsers: deps.Config.TailscaleAllowedUsers}
 	r.Use(tsAuth.Middleware)
 
-	dashboardHandler := &DashboardHandler{deps: deps}
-	r.GET("/", dashboardHandler.Index)
+	csrfSecret := []byte(deps.Config.SessionSecret)
+	isSecure := strings.HasPrefix(deps.Config.BaseURL, "https")
+	csrfMiddleware := middleware.CSRF(csrfSecret, isSecure)
 
-	userHandler := &UserHandler{deps: deps}
-	r.GET("/users", userHandler.List)
-	r.GET("/users/pending", userHandler.PendingList)
-	r.GET("/users/new", userHandler.NewForm)
-	r.GET("/users/:id", userHandler.Detail)
-	r.POST("/users", userHandler.Create)
-	r.POST("/users/:id/approve", userHandler.Approve)
-	r.POST("/users/:id/reject", userHandler.Reject)
-	r.POST("/users/:id/repos", userHandler.UpdateRepos)
+	csrf := r.Group("/")
+	csrf.Use(csrfMiddleware)
+	{
+		dashboardHandler := &DashboardHandler{deps: deps}
+		csrf.GET("/", dashboardHandler.Index)
 
-	ticketHandler := &TicketHandler{deps: deps}
-	r.GET("/tickets", ticketHandler.List)
-	r.GET("/tickets/:id", ticketHandler.Detail)
-	r.POST("/tickets/:id/status", ticketHandler.UpdateStatus)
+		userHandler := &UserHandler{deps: deps}
+		csrf.GET("/users", userHandler.List)
+		csrf.GET("/users/pending", userHandler.PendingList)
+		csrf.GET("/users/new", userHandler.NewForm)
+		csrf.GET("/users/:id", userHandler.Detail)
+		csrf.POST("/users", userHandler.Create)
+		csrf.POST("/users/:id/approve", userHandler.Approve)
+		csrf.POST("/users/:id/reject", userHandler.Reject)
+		csrf.POST("/users/:id/repos", userHandler.UpdateRepos)
 
-	repoHandler := &RepoHandler{deps: deps}
-	r.GET("/repos", repoHandler.List)
-	r.GET("/repos/new", repoHandler.NewForm)
-	r.POST("/repos", repoHandler.Create)
-	r.GET("/repos/:id/edit", repoHandler.EditForm)
-	r.POST("/repos/:id", repoHandler.Update)
+		ticketHandler := &TicketHandler{deps: deps}
+		csrf.GET("/tickets", ticketHandler.List)
+		csrf.GET("/tickets/:id", ticketHandler.Detail)
+		csrf.POST("/tickets/:id/status", ticketHandler.UpdateStatus)
+
+		repoHandler := &RepoHandler{deps: deps}
+		csrf.GET("/repos", repoHandler.List)
+		csrf.GET("/repos/new", repoHandler.NewForm)
+		csrf.POST("/repos", repoHandler.Create)
+		csrf.GET("/repos/:id/edit", repoHandler.EditForm)
+		csrf.POST("/repos/:id", repoHandler.Update)
+	}
 
 	return r
 }
diff --git a/web/templates/pages/admin/repos/edit.html b/web/templates/pages/admin/repos/edit.html
index c353ed3..ff508ef 100644
--- a/web/templates/pages/admin/repos/edit.html
+++ b/web/templates/pages/admin/repos/edit.html
@@ -64,6 +64,7 @@
     {{end}}
 
     <form method="POST" action="/repos/{{.Repo.ID}}" class="space-y-6 bg-white p-6 rounded-lg shadow ring-1 ring-gray-200">
+        <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
         <div>
             <label for="name" class="block text-sm font-medium text-gray-700">Display Name</label>
             <input type="text" name="name" id="name" required value="{{.Repo.Name}}"
diff --git a/web/templates/pages/admin/repos/new.html b/web/templates/pages/admin/repos/new.html
index 6e30f7e..937bf63 100644
--- a/web/templates/pages/admin/repos/new.html
+++ b/web/templates/pages/admin/repos/new.html
@@ -17,6 +17,7 @@
     {{end}}
 
     <form method="POST" action="/repos" class="space-y-6 bg-white p-6 rounded-lg shadow ring-1 ring-gray-200">
+        <input type="hidden" name="gorilla.csrf.Token" value="{{.CSRFToken}}">
         <div>
             <label for="name" class="block text-sm font-medium text-gray-700">Display Name</label>
             <input type="text" name="name" id="name" required placeholder="Billing App"
diff --git a/web/templates/pages/admin/tickets/detail.html b/web/templates/pages/admin/tickets/detail.html
index d1ff8cf..2f99838 100644
--- a/web/templates/pages/admin/tickets/detail.html
+++ b/web/templates/pages/admin/tickets/detail.html
@@ -60,6 +60,7 @@
     <!-- Status Update -->
     <div class="mt-6 pt-4 border-t border-gray-200">
         <form method="POST" action="/tickets/{{.Ticket.ID}}/status" class="flex items-center gap-3">
+            <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
             <label for="status" class="text-sm font-medium text-gray-700">Update Status:</label>
             <select name="status" id="status" class="rounded-md border border-gray-300 px-3 py-1.5 text-sm focus:border-blue-500 focus:outline-none focus:ring-1 focus:ring-blue-500">
                 <option value="open" {{if eq (print .Ticket.Status) "open"}}selected{{end}}>Open</option>
diff --git a/web/templates/pages/admin/users/detail.html b/web/templates/pages/admin/users/detail.html
index e2d3139..fd8f1e3 100644
--- a/web/templates/pages/admin/users/detail.html
+++ b/web/templates/pages/admin/users/detail.html
@@ -31,6 +31,7 @@
 <h2 class="text-lg font-semibold text-gray-900 mb-4">Project Access</h2>
 {{if .AllRepos}}
 <form method="POST" action="/users/{{.User.ID}}/repos" class="bg-white p-6 rounded-lg shadow ring-1 ring-gray-200 mb-8">
+    <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
     <div class="space-y-2">
         {{range .AllRepos}}
         <label class="flex items-center gap-2">
diff --git a/web/templates/pages/admin/users/new.html b/web/templates/pages/admin/users/new.html
index fc0d051..9eb0923 100644
--- a/web/templates/pages/admin/users/new.html
+++ b/web/templates/pages/admin/users/new.html
@@ -18,6 +18,7 @@
     {{end}}
 
     <form method="POST" action="/users" class="space-y-6 bg-white p-6 rounded-lg shadow ring-1 ring-gray-200">
+        <input type="hidden" name="gorilla.csrf.Token" value="{{.CSRFToken}}">
         <div>
             <label for="name" class="block text-sm font-medium text-gray-700">Name</label>
             <input type="text" name="name" id="name" required
diff --git a/web/templates/pages/admin/users/pending.html b/web/templates/pages/admin/users/pending.html
index 0d9547d..0e826c6 100644
--- a/web/templates/pages/admin/users/pending.html
+++ b/web/templates/pages/admin/users/pending.html
@@ -27,9 +27,11 @@
                 <td class="px-4 py-3 text-right">
                     <div class="flex justify-end gap-2">
                         <form method="POST" action="/users/{{.ID}}/approve">
+                            <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
                             <button type="submit" class="rounded-md bg-green-600 px-3 py-1.5 text-xs font-semibold text-white shadow hover:bg-green-500">Approve</button>
                         </form>
                         <form method="POST" action="/users/{{.ID}}/reject" onsubmit="return confirm('Are you sure you want to reject this request? The account will be deleted.')">
+                            <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
                             <button type="submit" class="rounded-md bg-red-600 px-3 py-1.5 text-xs font-semibold text-white shadow hover:bg-red-500">Reject</button>
                         </form>
                     </div>