security hardening

2026-04-18 11:10:41 +00:00
parent a409203025
commit 21618efbad
36 changed files with 1455 additions and 283 deletions
--- a/settings-site/public/js/login.js
+++ b/settings-site/public/js/login.js
@@ -0,0 +1,36 @@
+async function fetchCsrfToken() {
+  const res = await fetch('/api/csrf-token', { credentials: 'same-origin' });
+  if (!res.ok) throw new Error('Failed to fetch CSRF token');
+  const data = await res.json();
+  return data.csrfToken;
+}
+
+document.getElementById('login-form').addEventListener('submit', async (e) => {
+  e.preventDefault();
+  const password = document.getElementById('password').value;
+  const errorEl = document.getElementById('error');
+  errorEl.classList.remove('visible');
+
+  try {
+    const csrfToken = await fetchCsrfToken();
+    const res = await fetch('/login', {
+      method: 'POST',
+      credentials: 'same-origin',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-csrf-token': csrfToken
+      },
+      body: JSON.stringify({ password })
+    });
+    if (res.ok) {
+      window.location.href = '/';
+    } else {
+      const data = await res.json().catch(() => ({}));
+      errorEl.textContent = data.error || 'Invalid password';
+      errorEl.classList.add('visible');
+    }
+  } catch (err) {
+    errorEl.textContent = 'Login failed. Please try again.';
+    errorEl.classList.add('visible');
+  }
+});