feat: add CSRF protection middleware

app/api/v2/__init__.py

@@ -3,7 +3,13 @@
 
 def make_app(services, upload_max_size_mb=100):
     from .responses import json_request_validation_middleware
-    from .security import authentication_required_middleware_factory, pass_option_middleware
+    from .security import authentication_required_middleware_factory, pass_option_middleware, csrf_protect_middleware_factory
+
+    try:
+        max_size = int(upload_max_size_mb)
+        max_size = max_size if max_size > 0 else 100
+    except (TypeError, ValueError):
+        max_size = 100
 
     try:
         max_size = int(upload_max_size_mb)
@@ -16,6 +22,7 @@ def make_app(services, upload_max_size_mb=100):
         middlewares=[
             pass_option_middleware,
             authentication_required_middleware_factory(services['auth_svc']),
+            csrf_protect_middleware_factory(services['auth_svc']),
             json_request_validation_middleware
         ]
     )

app/api/v2/security.py

@@ -3,6 +3,9 @@
 import types
 
 from aiohttp import web
+from aiohttp_session import get_session
+from hmac import compare_digest
+from aiohttp.web_exceptions import HTTPForbidden
 
 
 def is_handler_authentication_exempt(handler):
@@ -69,6 +72,52 @@ async def authentication_required_middleware(request, handler):
     return authentication_required_middleware
 
 
+def csrf_protect_middleware_factory(auth_svc):
+    """Protect unsafe (state-modifying) requests against CSRF for session-authenticated users.
+
+    Behavior:
+    - Allow safe methods (GET, HEAD, OPTIONS) without checks.
+    - If request provides an API key (header KEY), skip CSRF checks.
+    - For session-authenticated requests using unsafe methods, compare the X-CSRF-Token
+      header to the token stored in the server-side session (recommended) and reject
+      requests with missing/invalid tokens with HTTP 403.
+    """
+    @web.middleware
+    async def csrf_protect_middleware(request, handler):
+        # Skip safe methods
+        if request.method in ('GET', 'HEAD', 'OPTIONS'):
+            return await handler(request)
+
+        # If API key auth is present, skip CSRF checks
+        if request.headers.get('KEY'):
+            return await handler(request)
+
+        # If the endpoint handler is explicitly decorated as authentication-exempt,
+        # allow it to proceed without CSRF validation. This covers endpoints like
+        # login which must be callable before a session and CSRF token exist.
+        if is_handler_authentication_exempt(handler):
+            return await handler(request)
+
+        # For session-authenticated requests, validate token
+        try:
+            session = await get_session(request)
+            token = session.get('csrf_token') if session is not None else None
+            header = request.headers.get('X-CSRF-Token') or request.headers.get('X-XSRF-TOKEN')
+            # check if there is a token, the header is missing, and whether the token and header
+            # hash authentication works
+            if not token or not header or not compare_digest(header, token):
+                raise HTTPForbidden(text='Missing or invalid CSRF token')
+        except HTTPForbidden:
+            raise
+        except Exception:
+            # If something goes wrong accessing the session, deny the request
+            raise HTTPForbidden(text='CSRF validation error')
+
+        return await handler(request)
+
+    return csrf_protect_middleware
+
+
 @web.middleware
 async def pass_option_middleware(request, handler):
     """Allow all 'OPTIONS' request to the server to return 200

app/service/auth_svc.py

@@ -9,8 +9,10 @@
 from aiohttp_security import setup as setup_security
 from aiohttp_security.abc import AbstractAuthorizationPolicy
 from aiohttp_session import setup as setup_session
+from aiohttp_session import get_session
 from aiohttp_session.cookie_storage import EncryptedCookieStorage
 from cryptography import fernet
+import secrets
 
 from app.service.interfaces.i_auth_svc import AuthServiceInterface
 from app.service.interfaces.i_login_handler import LoginHandlerInterface
@@ -75,7 +77,14 @@ async def apply(self, app, users):
         app.user_map = self.user_map
         fernet_key = fernet.Fernet.generate_key()
         secret_key = base64.urlsafe_b64decode(fernet_key)
-        storage = EncryptedCookieStorage(secret_key, cookie_name=COOKIE_SESSION)
+        storage = EncryptedCookieStorage(
+            secret_key,
+            cookie_name=COOKIE_SESSION,
+            secure=True,
+            httponly=True,
+            max_age=86400,
+            samesite='Strict'
+        )
         setup_session(app, storage)
         policy = SessionIdentityPolicy()
         setup_security(app, policy, DictionaryAuthorizationPolicy(self.user_map))
@@ -155,6 +164,19 @@ async def handle_successful_login(self, request, username):
         self.log.debug('%s logging in', username)
         response = web.HTTPFound('/')
         await remember(request, response, username)
+
+        # Initialize per-session CSRF token and expose it via a readable cookie for double-submit
+        try:
+            session = await get_session(request)
+            if 'csrf_token' not in session:
+                session['csrf_token'] = secrets.token_urlsafe(32)
+            # Set a non-HttpOnly cookie so client-side JS can read the token for double-submit.
+            secure_flag = (request.scheme == 'https') if hasattr(request, 'scheme') else False
+            response.set_cookie('XSRF-TOKEN', session['csrf_token'], httponly=False, secure=secure_flag, samesite='Lax')
+        except Exception:
+            # If session management or cookie setting fails, continue without exposing token.
+            self.log.exception('Failed to set CSRF token on login')
+
         raise response
 
     async def check_permissions(self, group, request):