security: Add CSRF protection to login and authentication routes

[tphakala]

• Configure CSRF middleware with custom settings
• Add CSRF token generation and rendering in login page
• Expose CSRF token in login template
• Modify security functions to support local subnet detection
• Improve security middleware configuration

Proposed solution to fix #314

[coderabbitai]

Walkthrough

The changes implement CSRF protection in the authentication flow. The login page rendering now injects a CSRF token into the template data, and a corresponding hidden input field has been added to the login form. A new middleware is introduced to validate CSRF tokens, with configurable cookie settings and a skip mechanism for certain routes. Additionally, the helper function for checking local subnets has been renamed and exported for external use. New methods have been added to the OAuth2Server to manage user authentication, authorization code generation, exchange, and access token validation.

Changes

Files	Change Summary
internal/httpcontroller/auth_routes.go views/elements/login.html	Added CSRF token support in login rendering: a "CSRFToken" key is passed to the view and a hidden input field for the CSRF token is added to the login form.
internal/httpcontroller/middleware.go	Introduced new CSRF middleware using middleware.CSRFWithConfig with options for token lookup, cookie settings, and a skipper function for asset and media routes.
internal/security/basic.go	Renamed isInLocalSubnet to IsInLocalSubnet (exported) and updated its invocation in HandleBasicAuthToken.
internal/security/oauth.go	Added new methods to the OAuth2Server: IsUserAuthenticated, GenerateAuthCode, ExchangeAuthCode, and ValidateAccessToken for enhanced OAuth authentication management.

Sequence Diagram(s)

sequenceDiagram
    participant U as User
    participant M as Middleware
    participant A as Auth Route
    participant V as View Renderer

    U->>M: Sends login page request
    M->>A: Forwards request after CSRF check
    A->>V: Renders login page with CSRF token data
    V-->>U: Returns HTML form with hidden CSRF token field

Loading

sequenceDiagram
    participant U as User
    participant O as OAuth2Server

    U->>O: Requests authentication (Auth Code)
    O->>O: Checks if user is authenticated (includes local subnet check)
    O->>O: Generates Auth Code with CSRF protection
    U->>O: Exchanges Auth Code for Access Token
    O->>O: Validates Auth Code and issues Access Token
    O-->>U: Returns Access Token

Loading

Possibly related issues

• Add CSRF protection to authentication flow #314 – The CSRF protection additions in the login flow and middleware directly address the issue of enhancing CSRF security in authentication.

Possibly related PRs

• feat: Hide detection action menu for unauthenticated users #420 – Contains related changes to the handleLoginPage function, focusing on redirect logic and CSRF token handling, which overlaps with the modifications in this PR.

Poem

Hop, hop, through bits and bytes I race,
Adding CSRF tokens with a gentle embrace.
Middleware stands guard at every door,
OAuth codes and tokens—security galore!
I'm a rabbit in code, leaping with delight,
Celebrating safe logins from morning till night!
🐇✨

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

internal/security/oauth.go (1)

94-99:

🧩 Analysis chain

Review local subnet authentication bypass.

The automatic authentication for local subnet clients might pose a security risk if the network is not properly secured. Consider adding additional authentication factors or making this behavior configurable.

---

🏁 Script executed:

#!/bin/bash
# Description: Check for other instances of local subnet authentication bypass

# Test: Look for similar patterns of local subnet checks
rg -A 5 'IsInLocalSubnet|isInLocalSubnet'

Length of output: 1697

---

Local Subnet Bypass Found – Revisit Authentication Logic

• OAuth Check (internal/security/oauth.go): The code immediately authenticates any client whose IP is recognized as belonging to the local subnet.
• Similar Patterns: Comparable logic is used in both internal/basic.go (for cookie handling and basic auth) and internal/httpcontroller/middleware.go.
• Security Implication: Automatically trusting local subnet addresses can be risky in environments where network segmentation isn’t strict. This could allow an attacker, who manages to spoof or gain access to a local address, to bypass proper authentication. Consider either adding additional authentication factors for local subnet clients or making this behavior configurable.

🧹 Nitpick comments (2)

internal/httpcontroller/auth_routes.go (1)

95-95: Add error handling for CSRF token retrieval.

While adding the CSRF token to the template data is correct, consider handling the case where the token might be nil.

-			"CSRFToken":     c.Get("csrf"),
+			"CSRFToken":     c.Get("csrf"), // Token is automatically generated by the CSRF middleware
+			"Error":         nil, // Add error handling if token is nil

internal/security/oauth.go (1)

140-156: Enhance auth code generation security.

The auth code generation looks secure with proper cryptographic randomness. However, consider:

1. Using a constant-time comparison for code validation
2. Adding rate limiting for code generation

 func (s *OAuth2Server) GenerateAuthCode() (string, error) {
+	// Add rate limiting
+	if s.isRateLimited() {
+		return "", errors.New("rate limit exceeded")
+	}
+
 	code := make([]byte, 32)
 	_, err := rand.Read(code)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c02e82 and 255e4df.

📒 Files selected for processing (5)

• internal/httpcontroller/auth_routes.go (1 hunks)
• internal/httpcontroller/middleware.go (1 hunks)
• internal/security/basic.go (2 hunks)
• internal/security/oauth.go (4 hunks)
• views/elements/login.html (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: unit-tests
• GitHub Check: test-docker-image
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

internal/httpcontroller/middleware.go (1)

21-35: Review CSRF middleware configuration.

The CSRF configuration looks good overall, with appropriate cookie settings and token lookup. However, consider the following security aspects:

1. The skipper function might be too permissive. While it's common to skip CSRF for static assets, ensure that these directories only serve static files and cannot be used for file uploads or dynamic content.
2. The token lifetime of 1 hour is reasonable but consider making it configurable through settings.

Run the following script to verify that the skipped paths only contain static files:

✅ Verification successful

🏁 Script executed:

#!/bin/bash
# Description: Check for potential security risks in assets and media directories

# Test: Look for potentially dangerous file types in assets and media directories
rg -g '!*.{jpg,jpeg,png,gif,ico,css,js,woff,woff2,ttf,eot,svg}' -l '/assets/|/media/'

# Test: Look for file upload endpoints or dynamic content handlers in these paths
ast-grep --pattern 'func $_($_) {
  $$$
  c.FormFile($_)
  $$$
}'

Length of output: 537

---

CSRF middleware configuration verified.

• The CSRF setup (token lookup, cookie options, and conditional CookieSecure) is correctly configured.
• The skipper function correctly bypasses CSRF for requests matching static assets, and our search did not reveal any file upload handlers (e.g., calls to c.FormFile) in those paths.
• Note that the grep results include several files (like routes.go and middleware.go) because they contain text references to “/assets/” or “/media/”, which is expected. Ensure that the actual assets and media directories serve only static content and that no dynamic endpoints are inadvertently exposed.

views/elements/login.html (1)

5-5: CSRF Token Hidden Input Injection

The newly added hidden input field correctly injects a CSRF token into the login form. This aligns well with the PR objective of strengthening CSRF protection. Please ensure that the context data always provides a valid CSRF token (i.e. {{.CSRFToken}}) and that the corresponding middleware consistently validates the token upon form submission.

[coderabbitai]

🛠️ Refactor suggestion

Document security implications of IsInLocalSubnet.

Since this function is now exported and used for security-critical decisions, add comprehensive documentation about its security implications and proper usage.

-// IsInLocalSubnet checks if the given IP is in the same subnet as any local network interface
+// IsInLocalSubnet checks if the given IP is in the same subnet as any local network interface.
+//
+// Security Implications:
+// 1. This function is used for authentication bypass in local networks
+// 2. Should only be used in development or in secure, isolated networks
+// 3. Network configuration must ensure proper segmentation
+//
+// Usage:
+// - Ensure proper network security before relying on this for authentication
+// - Consider additional authentication factors in production

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// IsInLocalSubnet checks if the given IP is in the same subnet as any local network interface
	func IsInLocalSubnet(clientIP net.IP) bool {
	// IsInLocalSubnet checks if the given IP is in the same subnet as any local network interface.
	//
	// Security Implications:
	// 1. This function is used for authentication bypass in local networks
	// 2. Should only be used in development or in secure, isolated networks
	// 3. Network configuration must ensure proper segmentation
	//
	// Usage:
	// - Ensure proper network security before relying on this for authentication
	// - Consider additional authentication factors in production
	func IsInLocalSubnet(clientIP net.IP) bool {

[tphakala]

@petterip can you please review this?