feat(security): use bcrypt hashes and safe paths for boxes

- Replace legacy salted password hashing with bcrypt and store hash alg
- Accept existing bcrypt hashes while keeping legacy verification fallback
- Validate box IDs and use SafeChildPath for box/file operations to prevent traversal
- Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip writefeat(security): use bcrypt hashes and safe paths for boxes

- Replace legacy salted password hashing with bcrypt and store hash alg
- Accept existing bcrypt hashes while keeping legacy verification fallback
- Validate box IDs and use SafeChildPath for box/file operations to prevent traversal
- Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip write

templates/admin.html

@@ -20,12 +20,13 @@
                 </header>
                 <div class="win98-panel admin-panel">
                     <nav class="admin-nav">
-                        <span>Signed in as {{ .CurrentUser }}</span>
-                        <span class="admin-spacer"></span>
-                        <form action="/admin/logout" method="post">
-                            <button class="win98-button" type="submit">Logout</button>
-                        </form>
-                    </nav>
+						<span>Signed in as {{ .CurrentUser }}</span>
+						<span class="admin-spacer"></span>
+						<form action="/admin/logout" method="post">
+							<input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+							<button class="win98-button" type="submit">Logout</button>
+						</form>
+					</nav>
                     <div class="admin-grid">
                         <a class="win98-panel admin-link" href="/admin/boxes"><strong>Boxes</strong></a>
                         <a class="win98-panel admin-link" href="/admin/users"><strong>Users</strong></a>

templates/admin_settings.html

@@ -29,9 +29,10 @@
                     </nav>
                     {{ if .Error }}
                         <p class="admin-error">{{ .Error }}</p>
-                    {{ end }}
-                    <form class="admin-form" action="/admin/settings" method="post">
-                        <table class="admin-table">
+					{{ end }}
+					<form class="admin-form" action="/admin/settings" method="post">
+						<input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+						<table class="admin-table">
                             <thead>
                                 <tr>
                                     <th>Setting</th>

templates/admin_tags.html

@@ -29,11 +29,12 @@
                     </nav>
                     {{ if .Error }}
                         <p class="admin-error">{{ .Error }}</p>
-                    {{ end }}
-                    <form class="admin-form win98-panel" action="/admin/tags" method="post">
-                        <label class="admin-form-row">
-                            <span>Name</span>
-                            <input name="name" required>
+					{{ end }}
+					<form class="admin-form win98-panel" action="/admin/tags" method="post">
+						<input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+						<label class="admin-form-row">
+							<span>Name</span>
+							<input name="name" required>
                         </label>
                         <label class="admin-form-row">
                             <span>Description</span>

templates/admin_users.html

@@ -29,11 +29,12 @@
                     </nav>
                     {{ if .Error }}
                         <p class="admin-error">{{ .Error }}</p>
-                    {{ end }}
-                    <form class="admin-form win98-panel" action="/admin/users" method="post">
-                        <label class="admin-form-row">
-                            <span>Username</span>
-                            <input name="username" required>
+					{{ end }}
+					<form class="admin-form win98-panel" action="/admin/users" method="post">
+						<input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+						<label class="admin-form-row">
+							<span>Username</span>
+							<input name="username" required>
                         </label>
                         <label class="admin-form-row">
                             <span>Email</span>
@@ -72,11 +73,12 @@
                                     <td>{{ .Tags }}</td>
                                     <td>{{ .CreatedAt }}</td>
                                     <td>{{ if .Disabled }}Disabled{{ else }}Active{{ end }}</td>
-                                    <td>
-                                        <form action="/admin/users" method="post">
-                                            <input type="hidden" name="action" value="toggle_disabled">
-                                            <input type="hidden" name="user_id" value="{{ .ID }}">
-                                            <button class="win98-button" type="submit" {{ if .IsCurrent }}disabled{{ end }}>{{ if .Disabled }}Enable{{ else }}Disable{{ end }}</button>
+									<td>
+										<form action="/admin/users" method="post">
+											<input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
+											<input type="hidden" name="action" value="toggle_disabled">
+											<input type="hidden" name="user_id" value="{{ .ID }}">
+											<button class="win98-button" type="submit" {{ if .IsCurrent }}disabled{{ end }}>{{ if .Disabled }}Enable{{ else }}Disable{{ end }}</button>
                                         </form>
                                     </td>
                                 </tr>