fix(security): redesign password reset tokens using crypto/rand with server-side storage

- Replace SHA512-based deterministic token with 32-byte crypto/rand token - Store tokens server-side with 1-hour expiry and single-use semantics - Remove genToken (previously broken due to time.Add immutability bug) - Add CSRF double-submit cookie protection to change/lost/reset forms - Remove token from form action URL (use hidden fields only, POST body) - Add MailFrom field and SMTP_FROM env var for configurable sender address - Add SMTP_PASSWORD_FILE env var for secure SMTP password loading - Add PUBLIC_URL env var and --public-url flag for configurable reset link domain - Use generic error messages in handlers to avoid information disclosure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 14:44:29 +07:00 · 2026-03-06 14:44:29 +07:00 · 57775bbf89
commit 57775bbf89
parent a2f368eb02
9 changed files with 193 additions and 83 deletions
--- a/csrf.go
+++ b/csrf.go
@ -0,0 +1,39 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"net/http"
+)
+
+func generateCSRFToken() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(b), nil
+}
+
+func setCSRFToken(w http.ResponseWriter) (string, error) {
+	token, err := generateCSRFToken()
+	if err != nil {
+		return "", err
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "csrf_token",
+		Value:    token,
+		Path:     "/",
+		HttpOnly: false, // must be readable via form hidden field comparison
+		SameSite: http.SameSiteStrictMode,
+	})
+	return token, nil
+}
+
+func validateCSRF(r *http.Request) bool {
+	cookie, err := r.Cookie("csrf_token")
+	if err != nil || cookie.Value == "" {
+		return false
+	}
+	formToken := r.PostFormValue("csrf_token")
+	return formToken != "" && cookie.Value == formToken
+}