firefrost-services

Files

Claude (Chronicler #51) 2386919998 fix: Implement CSRF protection for Trinity Console

CRITICAL SECURITY FIX - Prevents Cross-Site Request Forgery attacks

Changes:
- Installed csurf middleware (session-based tokens)
- Added CSRF middleware to all /admin routes in src/index.js
- Configured admin router to pass csrfToken to all views
- Updated layout.ejs to send CSRF token with htmx requests
- Added EJS view engine configuration
- Added body parsing middleware (json + urlencoded)

Security Impact:
- Prevents malicious sites from executing admin actions using cookies
- All POST requests now require valid CSRF token
- Invalid tokens return 403 Forbidden
- Session-based tokens (no cookies needed)

Protected Routes:
- /admin/servers/:id/sync (force whitelist sync)
- /admin/servers/:id/toggle-whitelist (whitelist toggle)
- /admin/grace/:id/extend (grace period extension)
- /admin/grace/:id/manual (manual payment override)
- /admin/roles/resync/:id (role assignment)

Attack Scenario Prevented:
User visits malicious site while logged into Trinity Console
→ Site tries to submit form to admin endpoint
→ Request includes session cookie but NO CSRF token
→ Server rejects with 403 Forbidden
→ Attack failed!

Note: csurf is deprecated but still functional. For future refactor,
consider csrf-csrf or Express 5 built-in protection.

Refs: TRINITY-CONSOLE-PRE-LAUNCH-CHECKLIST.md - Fix #1
Chronicler: #51

Signed-off-by: Claude (Chronicler #51) <claude@firefrostgaming.com>

2026-04-01 05:27:40 +00:00

arbiter

feat: Migrate Arbiter and Modpack Version Checker to monorepo

2026-03-31 21:52:42 +00:00

arbiter-3.0

fix: Implement CSRF protection for Trinity Console

2026-04-01 05:27:40 +00:00

modpack-version-checker

feat: Migrate Arbiter and Modpack Version Checker to monorepo

2026-03-31 21:52:42 +00:00

whitelist-manager

feat: Add current Whitelist Manager to monorepo (will be replaced by Arbiter 2.x)

2026-03-31 22:44:54 +00:00