Skip to content

fix: stable CSRF cookie across /login re-renders + open favicon route#165

Merged
ArthurBernard merged 2 commits into
developfrom
fix/login-csrf-stability
Jul 5, 2026
Merged

fix: stable CSRF cookie across /login re-renders + open favicon route#165
ArthurBernard merged 2 commits into
developfrom
fix/login-csrf-stability

Conversation

@ArthurBernard

Copy link
Copy Markdown
Owner

Two intertwined login-flow fixes (found while operating the dashboard):

  • Stable double-submit CSRF cookie. GET /login used to mint a fresh token per render and rotate the tb_csrf cookie — so any background request that got auth-redirected to /login (typically the browser's /favicon.ico probe) re-rendered the page and rotated the cookie under the form the user was looking at; every submit then 403'd, forever. The render now REUSES the browser's existing cookie when it matches the exact shape we mint (token_urlsafe(32) → 43 urlsafe chars, enforced by regex so an arbitrary value can never be echoed back into the form), and only mints otherwise — the standard stable double-submit pattern.
  • /favicon.ico is an open route (308 → /static/favicon.svg) so the icon probe never bounces through the auth redirect in the first place; login.html also declares the SVG icon explicitly.

Tests: the favicon-race regression (form token from the first render still authenticates after a background re-render), the open-route contract, and the malformed-cookie rejection (a <script> cookie is replaced, never echoed).

🤖 Generated with Claude Code

WIP preserved from the working tree (was uncommitted on develop): reuse the
browser's existing well-formed tb_csrf cookie instead of minting a fresh one
per render (a background /login re-render rotated the cookie under the form),
open /favicon.ico so the icon probe never bounces through /login, and cover
both with tests.
@ArthurBernard ArthurBernard merged commit dbd41aa into develop Jul 5, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant