Skip to content

fix: add CSRF tokens and convert account recovery to POST#223

Merged
chriscarrollsmith merged 1 commit into
mainfrom
fix/219-csrf-and-recover-post
Jul 2, 2026
Merged

fix: add CSRF tokens and convert account recovery to POST#223
chriscarrollsmith merged 1 commit into
mainfrom
fix/219-csrf-and-recover-post

Conversation

@chriscarrollsmith

Copy link
Copy Markdown
Contributor

Summary

  • Add double-submit CSRF protection (cookie + form field / X-CSRF-Token header for HTMX)
  • Split account recovery into GET confirmation page + POST action so destructive recovery is not a bare GET
  • Keep auth cookies at SameSite=strict after email promotion (remove the lax override)
  • Disable CSRF in the test suite via CSRF_ENABLED=0; add dedicated CSRF tests with protection enabled

Closes #219

Test plan

  • uv run pytest tests/
  • uv run ty check .

Use double-submit CSRF cookies on state-changing requests, show a
confirmation form for account recovery, and keep auth cookies at
SameSite=strict after email promotion.
@chriscarrollsmith
chriscarrollsmith merged commit b33ab5c into main Jul 2, 2026
2 checks passed
@chriscarrollsmith
chriscarrollsmith deleted the fix/219-csrf-and-recover-post branch July 2, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: strengthen CSRF posture and convert account recovery to POST

1 participant