security hardening

settings-site/public/js/app.js

@@ -1,6 +1,19 @@
 let savedConfig = {};
 let pendingChanges = {};
 let notificationThresholdsState = {};
+let csrfToken = '';
+
+async function fetchCsrfToken() {
+  const res = await fetch('/api/csrf-token', { credentials: 'same-origin' });
+  if (!res.ok) throw new Error('Failed to fetch CSRF token');
+  const data = await res.json();
+  csrfToken = data.csrfToken;
+  return csrfToken;
+}
+
+function csrfHeaders(base = {}) {
+  return { ...base, 'x-csrf-token': csrfToken };
+}
 
 const NOTIFICATION_PRESETS = ['15m', '30m', '1h', '2h', '4h', '8h', '1d'];
 const NOTIFICATION_TAB_KEYS = {
@@ -80,8 +93,9 @@ const NOTIFICATION_ALERT_DESCRIPTIONS = {
 async function init() {
   document.getElementById('loading').classList.remove('hidden');
   try {
+    await fetchCsrfToken();
     const [config] = await Promise.all([
-      fetch('/api/config').then(r => r.json()),
+      fetch('/api/config', { credentials: 'same-origin' }).then(r => r.json()),
       DiscordFields.fetchGuildData()
     ]);
     savedConfig = config;
@@ -177,10 +191,16 @@ function updateSaveBar() {
 }
 
 async function saveConfig(mode) {
+  const buttons = document.querySelectorAll('#save-bar button');
+  buttons.forEach(b => b.disabled = true);
   try {
+    if (mode === 'restart' && !confirm('Save changes and restart the bot now?')) {
+      return;
+    }
     const res = await fetch('/api/config', {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      credentials: 'same-origin',
+      headers: csrfHeaders({ 'Content-Type': 'application/json' }),
       body: JSON.stringify(pendingChanges)
     });
     const data = await res.json();
@@ -191,19 +211,25 @@ async function saveConfig(mode) {
       document.querySelectorAll('.changed').forEach(el => el.classList.remove('changed'));
       showToast(`${data.applied.length} settings saved.`, 'success');
     }
-    if (data.errors && data.errors.length > 0) {
+    const hasErrors = data.errors && data.errors.length > 0;
+    if (hasErrors) {
       showToast(`Errors: ${data.errors.join(', ')}`, 'error');
     }
-    if (mode === 'restart') {
+    if (mode === 'restart' && !hasErrors) {
       await fetch('/api/restart', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        credentials: 'same-origin',
+        headers: csrfHeaders({ 'Content-Type': 'application/json' }),
         body: JSON.stringify({ mode: 'immediate' })
       });
       showToast('Restart initiated.', 'warning');
+    } else if (mode === 'restart' && hasErrors) {
+      showToast('Restart cancelled due to save errors.', 'warning');
     }
   } catch (e) {
     showToast('Failed to save. Bot may be unreachable.', 'error');
+  } finally {
+    buttons.forEach(b => b.disabled = false);
   }
 }
 
@@ -221,13 +247,36 @@ async function confirmScheduledRestart() {
   if (!dt) return;
   await fetch('/api/restart', {
     method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
+    credentials: 'same-origin',
+    headers: csrfHeaders({ 'Content-Type': 'application/json' }),
     body: JSON.stringify({ mode: 'scheduled', scheduledFor: new Date(dt).toISOString() })
   });
   document.getElementById('schedule-modal').classList.add('hidden');
   showToast(`Restart scheduled for ${new Date(dt).toLocaleString()}`, 'warning');
 }
 
+async function doLogout() {
+  try {
+    await fetch('/logout', {
+      method: 'POST',
+      credentials: 'same-origin',
+      headers: csrfHeaders()
+    });
+  } catch (e) { /* ignore */ }
+  window.location.href = '/login';
+}
+
+function setupActionButtons() {
+  document.getElementById('save-btn')?.addEventListener('click', () => saveConfig('save'));
+  document.getElementById('save-restart-btn')?.addEventListener('click', () => saveConfig('restart'));
+  document.getElementById('schedule-restart-btn')?.addEventListener('click', openScheduleModal);
+  document.getElementById('schedule-confirm-btn')?.addEventListener('click', confirmScheduledRestart);
+  document.getElementById('schedule-cancel-btn')?.addEventListener('click', () => {
+    document.getElementById('schedule-modal').classList.add('hidden');
+  });
+  document.getElementById('logout-btn')?.addEventListener('click', doLogout);
+}
+
 function showToast(message, type = 'success') {
   const toast = document.createElement('div');
   toast.className = `toast toast-${type}`;
@@ -470,6 +519,7 @@ function setupSidebarRouting() {
 
 document.addEventListener('DOMContentLoaded', async () => {
   setupSidebarRouting();
+  setupActionButtons();
   await init();
   navigate(location.pathname, false);
 });

settings-site/public/js/login.js

@@ -0,0 +1,36 @@
+async function fetchCsrfToken() {
+  const res = await fetch('/api/csrf-token', { credentials: 'same-origin' });
+  if (!res.ok) throw new Error('Failed to fetch CSRF token');
+  const data = await res.json();
+  return data.csrfToken;
+}
+
+document.getElementById('login-form').addEventListener('submit', async (e) => {
+  e.preventDefault();
+  const password = document.getElementById('password').value;
+  const errorEl = document.getElementById('error');
+  errorEl.classList.remove('visible');
+
+  try {
+    const csrfToken = await fetchCsrfToken();
+    const res = await fetch('/login', {
+      method: 'POST',
+      credentials: 'same-origin',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-csrf-token': csrfToken
+      },
+      body: JSON.stringify({ password })
+    });
+    if (res.ok) {
+      window.location.href = '/';
+    } else {
+      const data = await res.json().catch(() => ({}));
+      errorEl.textContent = data.error || 'Invalid password';
+      errorEl.classList.add('visible');
+    }
+  } catch (err) {
+    errorEl.textContent = 'Login failed. Please try again.';
+    errorEl.classList.add('visible');
+  }
+});