From ecdcc044b7c44d6dc7e3d180a22d35da79c15604 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Sat, 28 Mar 2026 23:17:26 -0600
Subject: [PATCH] feat: add CSRF protection to all POST forms

Installs Flask-WTF and enables CSRFProtect globally. Adds csrf_token
hidden fields to all four POST forms (login, delete entry, add user,
delete user, and the public guestbook form). Exempts the API endpoint
which uses header-based key auth instead.
---
 app.py                        | 3 +++
 requirements.txt              | 1 +
 templates/admin.html          | 1 +
 templates/admin_login.html    | 1 +
 templates/admin_users.html    | 2 ++
 templates/index.html.template | 1 +
 6 files changed, 9 insertions(+)

diff --git a/app.py b/app.py
index c868f02..f141f94 100644
--- a/app.py
+++ b/app.py
@@ -13,6 +13,7 @@ from flask_limiter.util import get_remote_address
 from flask_login import (
     LoginManager, UserMixin, login_user, logout_user, login_required, current_user
 )
+from flask_wtf.csrf import CSRFProtect
 from werkzeug.security import generate_password_hash, check_password_hash
 
 # Set up logging
@@ -28,6 +29,7 @@ if not _secret_key:
 app.secret_key = _secret_key
 
 limiter = Limiter(get_remote_address, app=app, default_limits=[])
+csrf = CSRFProtect(app)
 
 app.config.update(
     SESSION_COOKIE_HTTPONLY=True,
@@ -467,6 +469,7 @@ def admin_users_delete(user_id):
 
 @app.route('/api/guests', methods=['GET'])
 @limiter.limit("100 per hour")
+@csrf.exempt
 def api_guests():
     api_key = request.headers.get('X-API-Key')
     if api_key != os.environ.get("API_KEY"):
diff --git a/requirements.txt b/requirements.txt
index 079758a..203127a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 Flask>=3.1.3
+Flask-WTF>=1.2
 Werkzeug>=3.0.6
 Flask-Limiter>=3.0
 Flask-Login>=0.6
diff --git a/templates/admin.html b/templates/admin.html
index a6976ab..ea00317 100644
--- a/templates/admin.html
+++ b/templates/admin.html
@@ -47,6 +47,7 @@
                             {% if current_user.role != 'viewer' %}
                             <form method="POST" action="{{ url_for('admin_delete', entry_id=g[0]) }}?page={{ page }}"
                                   onsubmit="return confirm('Delete entry for {{ g[1] }} {{ g[2] }}?')">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                                 <button type="submit" class="btn btn-danger btn-sm">Delete</button>
                             </form>
                             {% endif %}
diff --git a/templates/admin_login.html b/templates/admin_login.html
index 76bc560..2651d0a 100644
--- a/templates/admin_login.html
+++ b/templates/admin_login.html
@@ -15,6 +15,7 @@
                 <div class="alert alert-danger py-2">{{ error }}</div>
                 {% endif %}
                 <form method="POST" action="{{ url_for('admin_login', next=request.args.get('next', '')) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                     <div class="mb-3">
                         <label for="username" class="form-label">Username</label>
                         <input type="text" id="username" name="username" class="form-control"
diff --git a/templates/admin_users.html b/templates/admin_users.html
index 6f1a88a..cc7adc1 100644
--- a/templates/admin_users.html
+++ b/templates/admin_users.html
@@ -20,6 +20,7 @@
             <div class="card-header">Add User</div>
             <div class="card-body">
                 <form method="POST" action="{{ url_for('admin_users_add') }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                     <div class="row g-2">
                         <div class="col-sm-4">
                             <input type="text" name="username" class="form-control" placeholder="Username" required />
@@ -57,6 +58,7 @@
                     <td>
                         <form method="POST" action="{{ url_for('admin_users_delete', user_id=u[0]) }}"
                               onsubmit="return confirm('Remove user {{ u[1] }}?')">
+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
                             <button type="submit" class="btn btn-danger btn-sm">Remove</button>
                         </form>
                     </td>
diff --git a/templates/index.html.template b/templates/index.html.template
index d342d8e..04c4e39 100644
--- a/templates/index.html.template
+++ b/templates/index.html.template
@@ -70,6 +70,7 @@
         {% endif %}
 
         <form method="post" action="/" class="mb-4">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
             <div class="mb-3">
                 <label for="first_name" class="form-label">First Name(s):</label>
                 <input type="text" class="form-control" id="first_name" name="first_name" required />