umputun / cronn / 17219218529
75%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 22
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 73.815% (+1.1%) from 72.672%
17219218529

push

github

web-flow 
feat(web): implement secure authentication system with CSRF protection (#45)

* feat(web): implement comprehensive authentication with CSRF protection

Add complete authentication system for web dashboard with modern security features:

Authentication Features:
- Custom styled login form with theme support (light/dark/auto)
- Cookie-based authentication with bcrypt password hashing
- Basic auth fallback for API clients and CLI tools
- Secure logout with proper cookie clearing and HTMX compatibility
- Conditional UI elements (login/logout links) based on auth status

Security Enhancements:
- Upgrade to Go 1.25 for built-in CSRF protection
- CSRF protection using http.CrossOriginProtection on all POST endpoints
- Blocks malicious cross-origin requests via Sec-Fetch-Site and Origin headers
- Allows same-origin requests and safe methods (GET, HEAD, OPTIONS)
- Secure cookie settings (HttpOnly, SameSite, Secure when HTTPS)

Code Organization:
- Refactor authentication logic into dedicated app/web/auth.go (175 lines)
- Separate auth tests in app/web/auth_test.go with comprehensive coverage
- Clean separation of concerns from main web.go (reduced by 150+ lines)

Configuration:
- Add --web.password-hash flag for bcrypt password configuration
- README updated with authentication setup examples
- CI pipeline updated to use Go 1.25

Testing:
- Comprehensive test coverage for all auth scenarios
- CSRF protection test suite covering cross-origin attack vectors
- Login/logout flow validation with cookie management
- Integration tests for authenticated vs unauthenticated access

* security: address critical authentication vulnerabilities

- Replace static session tokens with cryptographically secure random tokens
- Implement server-side session management with 24-hour expiration
- Add automatic session cleanup and proper logout invalidation
- Enhance cookie security with __Host- prefix for HTTPS connections
- Reduce cookie lifetime from 7 days to 24 hours
- Use SameS... (continued)

185 of 209 new or added lines in 3 files covered. (88.52%)

2103 of 2849 relevant lines covered (73.82%)

24.12 hits per line

New Missed Lines in Diff

Lines Coverage File
1
36.87
 -0.21% app/main.go
2
91.03
 0.03% app/web/web.go
21
88.4
 app/web/auth.go
Jobs
ID Job ID Ran Files Coverage
1 17219218529.1 22
73.82
 GitHub Action Run
Source Files on build 17219218529