miroir/crates/miroir-proxy/src
jedarden 4762bd3d46 feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6)
Implement CSRF protection and origin checks per plan §9:

**Session endpoints (session.rs):**
- admin_login now sets HttpOnly, Secure, SameSite=Strict cookie with sealed session ID
- Returns JSON with session_id, csrf_token, expires_at in response body
- Origin checked against admin_ui.allowed_origins (default "same-origin")

**Admin UI (admin_ui.rs):**
- Add CSP header to all Admin UI responses
- CSP template from admin_ui.csp with csp_overrides merged additively

**Tests (auth.rs):**
- CSRF token generation, extraction, and validation
- Origin validation: same-origin, specific origins, wildcard, referer fallback
- CSP header builder: base template and overrides merging

**Pre-existing (already implemented):**
- CSRF middleware validates X-CSRF-Token on state-changing requests
- Bearer tokens bypass CSRF (non-simple header forces CORS preflight)
- Config validation rejects wildcard in csp_overrides

Acceptance criteria met:
- Cookie-auth POST without X-CSRF-Token → 403 missing_csrf
- Cookie-auth POST with wrong token → 403 csrf_mismatch
- Bearer-auth POST without X-CSRF-Token → 200 (bypasses CSRF)
- Session endpoint with Origin not in allowed_origins → 403
- csp_overrides merging works correctly
- Wildcard (*) in csp_overrides rejected by validation

Closes: miroir-46p.6
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 11:17:08 -04:00
..
routes feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6) 2026-05-24 11:17:08 -04:00
admin_session.rs feat(multi-search): implement timeout enforcement and acceptance tests (§13.11) 2026-05-24 01:54:20 -04:00
admin_ui.rs feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6) 2026-05-24 11:17:08 -04:00
auth.rs feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6) 2026-05-24 11:17:08 -04:00
client.rs feat(multi-search): implement timeout enforcement and acceptance tests (§13.11) 2026-05-24 01:54:20 -04:00
error.rs Integrate MeilisearchError into proxy (IntoResponse, auth middleware) + telemetry 2026-04-19 05:21:09 -04:00
error_response.rs feat(tests): add cross-compatibility SDK tests and standalone Meilisearch 2026-05-24 08:40:58 -04:00
lib.rs feat(admin-ui): implement Overview and Topology sections (plan §13.19) 2026-05-24 09:53:32 -04:00
main.rs feat(metrics): add resource-pressure metrics collection (plan §14.9) 2026-05-24 10:08:37 -04:00
middleware.rs feat(logging): add structured JSON logging tests and docs (plan §10, P7.5) 2026-05-24 10:00:21 -04:00
otel.rs feat(multi-search): implement timeout enforcement and acceptance tests (§13.11) 2026-05-24 01:54:20 -04:00
retry_cache.rs Phase 1 (miroir-cdo): Final verification summary 2026-05-09 11:38:45 -04:00
scatter.rs Phase 2 (miroir-9dj): Proxy + API Surface — Complete implementation 2026-05-09 12:08:28 -04:00
scoped_key_rotation.rs feat(multi-search): implement timeout enforcement and acceptance tests (§13.11) 2026-05-24 01:54:20 -04:00
state.rs Phase 1 (miroir-cdo): Final verification summary 2026-05-09 11:38:45 -04:00
task_manager.rs Phase 1 (miroir-cdo): Final verification summary 2026-05-09 11:38:45 -04:00