feat(security): use bcrypt hashes and safe paths for boxes

- Replace legacy salted password hashing with bcrypt and store hash alg - Accept existing bcrypt hashes while keeping legacy verification fallback - Validate box IDs and use SafeChildPath for box/file operations to prevent traversal - Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip writefeat(security): use bcrypt hashes and safe paths for boxes - Replace legacy salted password hashing with bcrypt and store hash alg - Accept existing bcrypt hashes while keeping legacy verification fallback - Validate box IDs and use SafeChildPath for box/file operations to prevent traversal - Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip write
2026-04-28 21:42:36 +03:00
parent a5d6d69be0
commit cb026d4fd1
15 changed files with 545 additions and 68 deletions
--- a/templates/admin_users.html
+++ b/templates/admin_users.html
@@ -29,11 +29,12 @@
                    </nav>
                    {{ if .Error }}
                        <p class="admin-error">{{ .Error }}</p>
-                    {{ end }}
-                    <form class="admin-form win98-panel" action="/admin/users" method="post">
-                        <label class="admin-form-row">
-                            <span>Username</span>
-                            <input name="username" required>
+					{{ end }}
+					<form class="admin-form win98-panel" action="/admin/users" method="post">
+						<input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+						<label class="admin-form-row">
+							<span>Username</span>
+							<input name="username" required>
                        </label>
                        <label class="admin-form-row">
                            <span>Email</span>
@@ -72,11 +73,12 @@
                                    <td>{{ .Tags }}</td>
                                    <td>{{ .CreatedAt }}</td>
                                    <td>{{ if .Disabled }}Disabled{{ else }}Active{{ end }}</td>
-                                    <td>
-                                        <form action="/admin/users" method="post">
-                                            <input type="hidden" name="action" value="toggle_disabled">
-                                            <input type="hidden" name="user_id" value="{{ .ID }}">
-                                            <button class="win98-button" type="submit" {{ if .IsCurrent }}disabled{{ end }}>{{ if .Disabled }}Enable{{ else }}Disable{{ end }}</button>
+									<td>
+										<form action="/admin/users" method="post">
+											<input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
+											<input type="hidden" name="action" value="toggle_disabled">
+											<input type="hidden" name="user_id" value="{{ .ID }}">
+											<button class="win98-button" type="submit" {{ if .IsCurrent }}disabled{{ end }}>{{ if .Disabled }}Enable{{ else }}Disable{{ end }}</button>
                                        </form>
                                    </td>
                                </tr>