Development Build
**Version:** dev-35-e61c6285
**Commit:** e61c628
**Branch:** develop
**Build:** #35
### Docker Image
```
ghcr.io/DRYTRIX/TimeTracker:develop
```
### Quick Start
```bash
docker pull ghcr.io/DRYTRIX/TimeTracker:develop
docker-compose -f deployment-dev.yml up -d
```
### Changes
feat: enhance CSRF protection with double-submit cookie pattern
Implement comprehensive CSRF token management with cookie-based
double-submit pattern to improve security and SPA compatibility.
Changes:
-
Add CSRF cookie configuration in app/config.py
- WTF_CSRF_SSL_STRICT for strict SSL validation in production
- CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility
- CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default
- CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings
-
Implement CSRF cookie handler in app/init.py
- Set CSRF token in cookie after each request
- Configure cookie with secure flags based on environment settings
- Support for double-submit pattern and SPA frameworks
-
Add client-side CSRF token management in base.html
- JavaScript utilities for token retrieval and validation
- Cookie synchronization for frameworks that read XSRF-TOKEN
- Auto-refresh mechanism for stale tokens (>15 minutes)
- Pre-submit token validation and refresh
- User notification for missing cookies/tokens
-
Clean up docker-compose.yml environment variables
- Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings
- These are now managed through .env files and config.py
This enhancement provides better CSRF protection while maintaining
compatibility with modern JavaScript frameworks and SPA architectures.
---
*This is an automated development build. Use at your own risk.*