security: add CSRF protection to all forms

- Add Flask-WTF dependency for CSRF protection - Initialize CSRFProtect in app.py - Add CSRF tokens to all POST forms in templates - Exempt /order JSON API endpoint (uses API key instead) This protects against Cross-Site Request Forgery attacks on all admin and user management operations. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 08:01:22 +01:00
parent 12eece0226
commit e062a1e836
8 changed files with 20 additions and 0 deletions
--- a/wawi/templates/users.html
+++ b/wawi/templates/users.html
@@ -15,6 +15,7 @@
      {% endif %}
    {% endwith %}
    <form method="post">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
      <div class="form-grid">
        <label>
          Benutzername
@@ -47,9 +48,11 @@
            <td>{{ u.created_at }}</td>
            <td class="actions">
              <form method="post" action="{{ url_for('bp.reset_user_password', user_id=u.id) }}" onsubmit="return confirm('Passwort für diesen Benutzer wirklich zurücksetzen?');">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                <button class="btn small" type="submit">Passwort neu</button>
              </form>
              <form method="post" action="{{ url_for('bp.delete_user', user_id=u.id) }}" onsubmit="return confirm('Benutzer wirklich löschen?');">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                <button class="btn small danger" type="submit">Löschen</button>
              </form>
            </td>