miroir/crates/miroir-proxy
jedarden 4762bd3d46 feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6)
Implement CSRF protection and origin checks per plan §9:

**Session endpoints (session.rs):**
- admin_login now sets HttpOnly, Secure, SameSite=Strict cookie with sealed session ID
- Returns JSON with session_id, csrf_token, expires_at in response body
- Origin checked against admin_ui.allowed_origins (default "same-origin")

**Admin UI (admin_ui.rs):**
- Add CSP header to all Admin UI responses
- CSP template from admin_ui.csp with csp_overrides merged additively

**Tests (auth.rs):**
- CSRF token generation, extraction, and validation
- Origin validation: same-origin, specific origins, wildcard, referer fallback
- CSP header builder: base template and overrides merging

**Pre-existing (already implemented):**
- CSRF middleware validates X-CSRF-Token on state-changing requests
- Bearer tokens bypass CSRF (non-simple header forces CORS preflight)
- Config validation rejects wildcard in csp_overrides

Acceptance criteria met:
- Cookie-auth POST without X-CSRF-Token → 403 missing_csrf
- Cookie-auth POST with wrong token → 403 csrf_mismatch
- Bearer-auth POST without X-CSRF-Token → 200 (bypasses CSRF)
- Session endpoint with Origin not in allowed_origins → 403
- csp_overrides merging works correctly
- Wildcard (*) in csp_overrides rejected by validation

Closes: miroir-46p.6
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 11:17:08 -04:00
..
admin-ui/dist feat(admin-ui): implement Overview and Topology sections (plan §13.19) 2026-05-24 09:53:32 -04:00
src feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6) 2026-05-24 11:17:08 -04:00
static feat(proxy): implement SPA with instant-search, facets, URL state, keyboard nav, i18n (P5.21.d, §13.21) 2026-05-24 05:31:06 -04:00
tests feat(hedging): implement tail-latency hedging for reads (§13.2, miroir-uhj.2) 2026-05-24 07:30:16 -04:00
Cargo.toml feat(admin-ui): implement Overview and Topology sections (plan §13.19) 2026-05-24 09:53:32 -04:00