mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-09 13:10:24 -06:00
e61c628526
Implement comprehensive CSRF token management with cookie-based double-submit pattern to improve security and SPA compatibility. Changes: - Add CSRF cookie configuration in app/config.py * WTF_CSRF_SSL_STRICT for strict SSL validation in production * CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility * CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default * CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings - Implement CSRF cookie handler in app/__init__.py * Set CSRF token in cookie after each request * Configure cookie with secure flags based on environment settings * Support for double-submit pattern and SPA frameworks - Add client-side CSRF token management in base.html * JavaScript utilities for token retrieval and validation * Cookie synchronization for frameworks that read XSRF-TOKEN * Auto-refresh mechanism for stale tokens (>15 minutes) * Pre-submit token validation and refresh * User notification for missing cookies/tokens - Clean up docker-compose.yml environment variables * Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings * These are now managed through .env files and config.py This enhancement provides better CSRF protection while maintaining compatibility with modern JavaScript frameworks and SPA architectures.