From e062a1e83606e7a49996b3f2dbc1b31b9241dc64 Mon Sep 17 00:00:00 2001
From: Bjoern Welker <bjoern@welker.me>
Date: Fri, 6 Feb 2026 08:01:22 +0100
Subject: [PATCH] security: add CSRF protection to all forms

- Add Flask-WTF dependency for CSRF protection
- Initialize CSRFProtect in app.py
- Add CSRF tokens to all POST forms in templates
- Exempt /order JSON API endpoint (uses API key instead)

This protects against Cross-Site Request Forgery attacks on all
admin and user management operations.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 requirements.txt              | 4 ++++
 wawi/app.py                   | 6 ++++++
 wawi/templates/ausbuchen.html | 1 +
 wawi/templates/edit.html      | 1 +
 wawi/templates/index.html     | 2 ++
 wawi/templates/login.html     | 1 +
 wawi/templates/orders.html    | 2 ++
 wawi/templates/users.html     | 3 +++
 8 files changed, 20 insertions(+)
 create mode 100755 requirements.txt
 mode change 100644 => 100755 wawi/templates/ausbuchen.html
 mode change 100644 => 100755 wawi/templates/edit.html
 mode change 100644 => 100755 wawi/templates/index.html
 mode change 100644 => 100755 wawi/templates/login.html
 mode change 100644 => 100755 wawi/templates/orders.html
 mode change 100644 => 100755 wawi/templates/users.html

diff --git a/requirements.txt b/requirements.txt
new file mode 100755
index 0000000..2d392cf
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,4 @@
+Flask>=3.0.0
+Flask-WTF>=1.2.0
+Werkzeug>=3.0.0
+gunicorn>=21.0.0
diff --git a/wawi/app.py b/wawi/app.py
index 45911f1..3da2967 100755
--- a/wawi/app.py
+++ b/wawi/app.py
@@ -22,6 +22,7 @@ from datetime import datetime
 from typing import Any
 
 from flask import Flask, Blueprint, g, flash, jsonify, redirect, render_template, request, session, url_for
+from flask_wtf.csrf import CSRFProtect
 from werkzeug.security import check_password_hash, generate_password_hash
 from werkzeug.utils import secure_filename
 
@@ -41,6 +42,10 @@ app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
 app.config["SESSION_COOKIE_SECURE"] = os.environ.get("COOKIE_SECURE", "1") == "1"
 app.config["SESSION_COOKIE_HTTPONLY"] = True
 app.config["MAX_CONTENT_LENGTH"] = 5 * 1024 * 1024
+
+# CSRF-Schutz aktivieren
+csrf = CSRFProtect(app)
+
 bp = Blueprint("bp", __name__)
 
 UPLOAD_DIR.mkdir(parents=True, exist_ok=True)
@@ -597,6 +602,7 @@ def build_bestand() -> list[dict]:
 
 
 @bp.route("/order", methods=["POST"])
+@csrf.exempt  # JSON API ohne CSRF-Schutz (nutzt API-Key stattdessen)
 def order():
     """Erstellt eine Bestellung (optional API‑Key) und versendet Mail."""
     ip = request.headers.get("X-Forwarded-For", request.remote_addr or "unknown").split(",")[0].strip()
diff --git a/wawi/templates/ausbuchen.html b/wawi/templates/ausbuchen.html
old mode 100644
new mode 100755
index f941ce1..04adf9c
--- a/wawi/templates/ausbuchen.html
+++ b/wawi/templates/ausbuchen.html
@@ -4,6 +4,7 @@
     <h2>Ausbuchen: {{ item.artikel }} ({{ item.groesse }})</h2>
     <div class="note">Aktueller Bestand: <strong>{{ item.gezaehlt }}</strong></div>
     <form method="post" onsubmit="return confirm('Wirklich ausbuchen?');">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
       <div class="form-grid">
         <label>
           Menge
diff --git a/wawi/templates/edit.html b/wawi/templates/edit.html
old mode 100644
new mode 100755
index 2190485..78bead2
--- a/wawi/templates/edit.html
+++ b/wawi/templates/edit.html
@@ -3,6 +3,7 @@
   <div class="card form-card">
     <h2>{{ "Artikel bearbeiten" if item else "Neuen Artikel anlegen" }}</h2>
     <form method="post" enctype="multipart/form-data">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
       <div class="form-grid">
         <label>
           Artikel
diff --git a/wawi/templates/index.html b/wawi/templates/index.html
old mode 100644
new mode 100755
index c822e55..d98e3da
--- a/wawi/templates/index.html
+++ b/wawi/templates/index.html
@@ -67,10 +67,12 @@
                 <td class="actions">
                   <a class="btn icon" href="{{ url_for('bp.edit_item', item_id=r.id) }}" title="Bearbeiten" aria-label="Bearbeiten"><span>✎</span></a>
                   <form method="post" action="{{ url_for('bp.verkauf', item_id=r.id) }}" onsubmit="return confirm('Wirklich 1 Stück als verkauft buchen?');">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                     <button class="btn icon" type="submit" title="Verkauf +1" aria-label="Verkauf +1"><span>🛒</span></button>
                   </form>
                   <a class="btn icon" href="{{ url_for('bp.ausbuchen', item_id=r.id) }}" title="Ausbuchen" aria-label="Ausbuchen"><span>⇩</span></a>
                   <form method="post" action="{{ url_for('bp.delete_item', item_id=r.id) }}" onsubmit="return confirm('Wirklich löschen? Dieser Vorgang kann nicht rückgängig gemacht werden.');">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                     <button class="btn icon danger" type="submit" title="Löschen" aria-label="Löschen"><span>🗑</span></button>
                   </form>
                 </td>
diff --git a/wawi/templates/login.html b/wawi/templates/login.html
old mode 100644
new mode 100755
index 63afd36..ac43810
--- a/wawi/templates/login.html
+++ b/wawi/templates/login.html
@@ -6,6 +6,7 @@
       <div class="note">Benutzername oder Passwort ist falsch.</div>
     {% endif %}
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
       <div class="form-grid">
         <label>
           Benutzer
diff --git a/wawi/templates/orders.html b/wawi/templates/orders.html
old mode 100644
new mode 100755
index 00424d5..3f1868b
--- a/wawi/templates/orders.html
+++ b/wawi/templates/orders.html
@@ -45,9 +45,11 @@
             <td class="actions">
               {% if not o.done and not o.canceled %}
                 <form method="post" action="{{ url_for('bp.complete_order', order_id=o.id) }}" onsubmit="return confirm('Bestellung als erledigt markieren?');">
+                  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                   <button class="btn small" type="submit">Erledigt</button>
                 </form>
                 <form method="post" action="{{ url_for('bp.cancel_order', order_id=o.id) }}" onsubmit="return confirm('Bestellung wirklich stornieren?');">
+                  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                   <button class="btn small danger" type="submit">Stornieren</button>
                 </form>
               {% else %}
diff --git a/wawi/templates/users.html b/wawi/templates/users.html
old mode 100644
new mode 100755
index 1eda894..ad78ce3
--- a/wawi/templates/users.html
+++ b/wawi/templates/users.html
@@ -15,6 +15,7 @@
       {% endif %}
     {% endwith %}
     <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
       <div class="form-grid">
         <label>
           Benutzername
@@ -47,9 +48,11 @@
             <td>{{ u.created_at }}</td>
             <td class="actions">
               <form method="post" action="{{ url_for('bp.reset_user_password', user_id=u.id) }}" onsubmit="return confirm('Passwort für diesen Benutzer wirklich zurücksetzen?');">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                 <button class="btn small" type="submit">Passwort neu</button>
               </form>
               <form method="post" action="{{ url_for('bp.delete_user', user_id=u.id) }}" onsubmit="return confirm('Benutzer wirklich löschen?');">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                 <button class="btn small danger" type="submit">Löschen</button>
               </form>
             </td>