feat: add CSRF protection for authenticated endpoints

- Implemented CSRF token generation and validation for state-changing operations
- Added CSRF middleware to protected routes (logout, comments, admin operations)
- Restricted comment creation and deletion to admin users only in UI

Author: zerox80

backend/src/handlers/auth.rs

@@ -1,4 +1,4 @@
-use crate::{auth, db::DbPool, models::*};
+use crate::{auth, csrf, db::DbPool, models::*};
 use axum::{
     extract::State,
     http::{HeaderMap, StatusCode},
@@ -39,6 +39,20 @@ fn parse_rfc3339_opt(value: &Option<String>) -> Option<DateTime<Utc>> {
     value.as_ref().and_then(|timestamp| chrono::DateTime::parse_from_rfc3339(timestamp).ok()).map(|dt| dt.with_timezone(&Utc))
 }
 
+fn dummy_bcrypt_hash() -> &'static str {
+    static DUMMY_HASH: OnceLock<String> = OnceLock::new();
+
+    DUMMY_HASH.get_or_init(|| {
+        match bcrypt::hash("dummy", bcrypt::DEFAULT_COST) {
+            Ok(hash) => hash,
+            Err(err) => {
+                tracing::error!("Failed to generate dummy hash: {}", err);
+                "$2b$12$eImiTXuWVxfM37uY4JANjQPzMzXZjQDzqzQpMv0xoGrTplPPNaE3W".to_string()
+            }
+        }
+    })
+}
+
 // Input validation
 fn validate_username(username: &str) -> Result<(), String> {
     if username.is_empty() {
@@ -158,17 +172,8 @@ pub async fn login(
     // Timing attack prevention: Always verify password even if user doesn't exist
     // Use a dummy hash that matches DEFAULT_COST to ensure consistent timing
     // This hash was generated with bcrypt::DEFAULT_COST for the password "dummy"
-    let dummy_hash = match bcrypt::hash("dummy", bcrypt::DEFAULT_COST) {
-        Ok(hash) => hash,
-        Err(err) => {
-            tracing::error!("Failed to generate dummy hash: {}", err);
-            // Fallback to cost-12 dummy hash to avoid panicking
-            "$2b$12$eImiTXuWVxfM37uY4JANjQPzMzXZjQDzqzQpMv0xoGrTplPPNaE3W".to_string()
-        }
-    };
-
-    let hash_to_verify_owned = user.as_ref().map(|u| u.password_hash.clone()).unwrap_or(dummy_hash);
-    let hash_to_verify = hash_to_verify_owned.as_str();
+    let hash_to_verify_owned = user.as_ref().map(|u| u.password_hash.clone());
+    let hash_to_verify = hash_to_verify_owned.as_deref().unwrap_or(dummy_bcrypt_hash());
 
     // Always perform verification regardless of whether user exists
     let verification_result = bcrypt::verify(&payload.password, hash_to_verify);
@@ -254,6 +259,18 @@ pub async fn login(
     let mut headers = HeaderMap::new();
     auth::append_auth_cookie(&mut headers, auth::build_auth_cookie(&token));
 
+    if let Ok(csrf_token) = csrf::issue_csrf_token(&user_record.username) {
+        csrf::append_csrf_cookie(&mut headers, &csrf_token);
+    } else {
+        tracing::error!("Failed to issue CSRF token for user {}", user_record.username);
+        return Err((
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(ErrorResponse {
+                error: "Failed to create token".to_string(),
+            }),
+        ));
+    }
+
     Ok((
         headers,
         Json(LoginResponse {
@@ -291,8 +308,12 @@ pub async fn me(
 /// # Returns
 ///
 /// An HTTP `204 No Content` response with a `Set-Cookie` header to clear the auth cookie.
-pub async fn logout() -> (StatusCode, HeaderMap) {
+pub async fn logout(
+    claims: auth::Claims,
+) -> (StatusCode, HeaderMap) {
     let mut headers = HeaderMap::new();
     auth::append_auth_cookie(&mut headers, auth::build_cookie_removal());
+    csrf::append_csrf_removal(&mut headers);
+    tracing::info!(user = %claims.sub, "User logged out");
     (StatusCode::NO_CONTENT, headers)
 }

backend/src/main.rs

@@ -1,4 +1,5 @@
 mod auth;
+mod csrf;
 mod db;
 mod handlers;
 mod models;
@@ -265,6 +266,10 @@ async fn main() {
     auth::init_jwt_secret().expect("Failed to initialize JWT secret");
     tracing::info!("JWT secret initialized successfully");
 
+    // Initialize CSRF secret
+    csrf::init_csrf_secret().expect("Failed to initialize CSRF secret");
+    tracing::info!("CSRF secret initialized successfully");
+
     // Initialize database
     let pool = db::create_pool().await.expect("Failed to create database pool");
 
@@ -322,7 +327,12 @@ async fn main() {
     // Login route with rate limiting
     let login_router = Router::new()
         .route("/api/auth/login", post(handlers::auth::login))
-        .route("/api/auth/logout", post(handlers::auth::logout))
+        .route(
+            "/api/auth/logout",
+            post(handlers::auth::logout)
+                .layer(middleware::from_extractor::<csrf::CsrfGuard>())
+                .layer(middleware::from_extractor::<auth::Claims>()),
+        )
         .layer(RequestBodyLimitLayer::new(LOGIN_BODY_LIMIT))
         .layer(GovernorLayer::new(rate_limit_config));
 
@@ -381,6 +391,7 @@ async fn main() {
             "/api/comments/{id}",
             delete(handlers::comments::delete_comment),
         )
+        .route_layer(middleware::from_extractor::<csrf::CsrfGuard>())
         .route_layer(middleware::from_extractor::<auth::Claims>())
         .layer(RequestBodyLimitLayer::new(ADMIN_BODY_LIMIT))
         .layer(GovernorLayer::new(admin_rate_limit_config.clone()));

src/api/client.js

@@ -70,6 +70,21 @@ const isBinaryBody = (body) => {
   return false
 }
 
+const CSRF_COOKIE_NAME = 'ltcms_csrf'
+const CSRF_HEADER_NAME = 'x-csrf-token'
+
+const getCsrfToken = () => {
+  if (typeof document === 'undefined' || !document.cookie) {
+    return null
+  }
+
+  return document.cookie
+    .split(';')
+    .map((cookie) => cookie.trim())
+    .find((cookie) => cookie.startsWith(`${CSRF_COOKIE_NAME}=`))
+    ?.split('=')[1] ?? null
+}
+
 /**
  * Manages all communication with the backend API.
  * Provides methods for authentication, tutorials, site content, and more.
@@ -222,6 +237,14 @@ class ApiClient {
       config.body = JSON.stringify(bodyCandidate)
     }
 
+    const requiresCsrf = !['GET', 'HEAD', 'OPTIONS'].includes(method)
+    if (requiresCsrf && !headers.has(CSRF_HEADER_NAME)) {
+      const csrfToken = getCsrfToken()
+      if (csrfToken) {
+        headers.set(CSRF_HEADER_NAME, csrfToken)
+      }
+    }
+
     try {
       const response = await fetch(url, config)
 

src/components/Comments.jsx

@@ -16,7 +16,8 @@ const Comments = ({ tutorialId }) => {
   const [comments, setComments] = useState([]);
   const [newComment, setNewComment] = useState('');
   const [isLoading, setIsLoading] = useState(false);
-  const { isAuthenticated } = useAuth();
+  const { isAuthenticated, user } = useAuth();
+  const isAdmin = Boolean(user && user.role === 'admin');
 
   useEffect(() => {
     loadComments();
@@ -34,7 +35,7 @@ const Comments = ({ tutorialId }) => {
 
   const handleSubmit = async (e) => {
     e.preventDefault();
-    if (!newComment.trim() || !isAuthenticated) return;
+    if (!newComment.trim() || !isAuthenticated || !isAdmin) return;
 
     setIsLoading(true);
     try {
@@ -49,6 +50,7 @@ const Comments = ({ tutorialId }) => {
   };
 
   const handleDelete = async (commentId) => {
+    if (!isAdmin) return;
     if (!confirm('Kommentar wirklich löschen?')) return;
 
     try {
@@ -67,7 +69,7 @@ const Comments = ({ tutorialId }) => {
       </h2>
 
       {/* Comment Form */}
-      {isAuthenticated && (
+      {isAdmin && (
         <form onSubmit={handleSubmit} className="mb-8">
           <textarea
             value={newComment}
@@ -101,6 +103,14 @@ const Comments = ({ tutorialId }) => {
         </div>
       )}
 
+      {isAuthenticated && !isAdmin && (
+        <div className="mb-8 p-4 bg-gray-50 dark:bg-gray-800 rounded-xl text-center">
+          <p className="text-gray-600 dark:text-gray-400">
+            Nur Administratoren können Kommentare hinzufügen oder löschen.
+          </p>
+        </div>
+      )}
+
       {/* Comments List */}
       <div className="space-y-4">
         {comments.length === 0 ? (
@@ -122,7 +132,7 @@ const Comments = ({ tutorialId }) => {
                     {new Date(comment.created_at).toLocaleDateString('de-DE')}
                   </span>
                 </div>
-                {isAuthenticated && (
+                {isAdmin && (
                   <button
                     onClick={() => handleDelete(comment.id)}
                     className="p-1 text-red-600 hover:bg-red-50 dark:hover:bg-red-900/20 rounded transition-colors"