miroir/crates
jedarden 4762bd3d46 feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6)
Implement CSRF protection and origin checks per plan §9:

**Session endpoints (session.rs):**
- admin_login now sets HttpOnly, Secure, SameSite=Strict cookie with sealed session ID
- Returns JSON with session_id, csrf_token, expires_at in response body
- Origin checked against admin_ui.allowed_origins (default "same-origin")

**Admin UI (admin_ui.rs):**
- Add CSP header to all Admin UI responses
- CSP template from admin_ui.csp with csp_overrides merged additively

**Tests (auth.rs):**
- CSRF token generation, extraction, and validation
- Origin validation: same-origin, specific origins, wildcard, referer fallback
- CSP header builder: base template and overrides merging

**Pre-existing (already implemented):**
- CSRF middleware validates X-CSRF-Token on state-changing requests
- Bearer tokens bypass CSRF (non-simple header forces CORS preflight)
- Config validation rejects wildcard in csp_overrides

Acceptance criteria met:
- Cookie-auth POST without X-CSRF-Token → 403 missing_csrf
- Cookie-auth POST with wrong token → 403 csrf_mismatch
- Bearer-auth POST without X-CSRF-Token → 200 (bypasses CSRF)
- Session endpoint with Origin not in allowed_origins → 403
- csp_overrides merging works correctly
- Wildcard (*) in csp_overrides rejected by validation

Closes: miroir-46p.6
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 11:17:08 -04:00
..
miroir-core feat(bench): add integration benchmarks and fix compilation 2026-05-24 10:53:48 -04:00
miroir-ctl feat(ctl): add unit tests for key rotation and fix dump compilation 2026-05-24 08:48:21 -04:00
miroir-proxy feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6) 2026-05-24 11:17:08 -04:00