fix: service edit, CSRF token stability, and license restore (v1.1.1)

- Fix service edit double-write bug (was creating duplicate entries) - Add editable display name field to service edit modal - Backend update endpoint now accepts name, logo, and recalculates url - Fix CSRF token regeneration breaking all POST requests (nonce was being regenerated on every request, invalidating cached tokens) - CSRF nonce now persists across requests, rotated only on TOTP login - Frontend secureFetch auto-retries on CSRF failure with fresh token - Restore lifetime license activation on DNS2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-23 13:39:05 -07:00
parent 263b090769
commit b4022288dc
9 changed files with 122 additions and 70 deletions
--- a/dashcaddy-api/.license-counter
+++ b/dashcaddy-api/.license-counter
@@ -1 +1 @@
-1
+2
--- a/dashcaddy-api/csrf-protection.js
+++ b/dashcaddy-api/csrf-protection.js
@@ -49,31 +49,56 @@ function parseCookie(cookieHeader) {
 }

 /**
- * Middleware to set CSRF cookie on all requests.
- * Always generates a fresh nonce server-side (never trusts client-supplied values).
- * The cookie holds the nonce; JavaScript must read it and send the HMAC signature
- * in the x-csrf-token header. The /api/csrf-token endpoint provides the signature.
+ * Middleware to set CSRF cookie on requests.
+ * Preserves existing nonce to avoid invalidating tokens the client has cached.
+ * New nonce is generated only on first visit (no cookie) or after TOTP login
+ * (which calls renewCSRFToken). If TOTP is disabled, the nonce is set once
+ * and never changes.
 */
 function csrfCookieMiddleware(req, res, next) {
-  // Always generate a fresh server-side nonce
-  const csrfNonce = generateToken();
+  const cookies = parseCookie(req.headers.cookie);
+  const existingNonce = cookies[CSRF_COOKIE_NAME];
+
+  // Reuse existing nonce; only generate fresh if no cookie exists yet
+  const csrfNonce = existingNonce || generateToken();

  // Store nonce + signature on request so endpoints can access them
  req.csrfToken = signToken(csrfNonce);
  req.csrfNonce = csrfNonce;

-  // Set cookie with the nonce (SameSite=Strict for additional protection)
-  res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
-    httpOnly: false, // Must be readable by JavaScript for signing
-    secure: req.secure || req.protocol === 'https', // Only secure in HTTPS
-    sameSite: 'strict',
-    path: '/',
-    maxAge: 24 * 60 * 60 * 1000 // 24 hours
-  });
+  // Only set cookie if it's new (avoids unnecessary Set-Cookie headers)
+  if (!existingNonce) {
+    res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
+      httpOnly: false, // Must be readable by JavaScript for signing
+      secure: req.secure || req.protocol === 'https',
+      sameSite: 'strict',
+      path: '/',
+      maxAge: 365 * 24 * 60 * 60 * 1000 // 1 year (effectively permanent)
+    });
+  }

  next();
 }

+/**
+ * Generate a fresh CSRF nonce and set it on the response.
+ * Called after TOTP login to rotate the token for the new session.
+ * @param {Object} res - Express response object
+ * @param {boolean} secure - Whether to set Secure flag on cookie
+ * @returns {string} The new CSRF signed token
+ */
+function renewCSRFToken(res, secure) {
+  const csrfNonce = generateToken();
+  res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
+    httpOnly: false,
+    secure: !!secure,
+    sameSite: 'strict',
+    path: '/',
+    maxAge: 365 * 24 * 60 * 60 * 1000
+  });
+  return signToken(csrfNonce);
+}
+
 /**
 * Middleware to validate CSRF token on state-changing requests
 * Validates that the token in the cookie matches the token in the header
@@ -174,5 +199,6 @@ module.exports = {
  signToken,
  parseCookie,
  csrfCookieMiddleware,
-  csrfValidationMiddleware
+  csrfValidationMiddleware,
+  renewCSRFToken
 };
--- a/dashcaddy-api/package.json
+++ b/dashcaddy-api/package.json
@@ -1,6 +1,6 @@
 {
  "name": "dashcaddy-api",
-  "version": "1.1.0",
+  "version": "1.1.1",
  "description": "DashCaddy API server - Dashboard backend for Docker, Caddy & DNS management",
  "main": "server.js",
  "scripts": {
--- a/dashcaddy-api/routes/auth/totp.js
+++ b/dashcaddy-api/routes/auth/totp.js
@@ -1,4 +1,5 @@
 const express = require('express');
+const { renewCSRFToken } = require('../../csrf-protection');

 module.exports = function(ctx) {
  const router = express.Router();
@@ -104,8 +105,12 @@ module.exports = function(ctx) {
    ctx.log.info('auth', 'TOTP verified, creating session', { ip: ctx.session.getClientIP(req), duration: ctx.totpConfig.sessionDuration });
    ctx.session.create(req, ctx.totpConfig.sessionDuration);
    ctx.session.setCookie(res, ctx.totpConfig.sessionDuration);
+
+    // Rotate CSRF token for the new session
+    const newCsrfToken = renewCSRFToken(res, req.secure || req.protocol === 'https');
+
    ctx.log.debug('auth', 'Session created', { sessions: ctx.session.ipSessions.size });
-    res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration });
+    res.json({ success: true, message: 'Authenticated successfully', sessionDuration: ctx.totpConfig.sessionDuration, csrfToken: newCsrfToken });
  }, 'totp-verify'));

  // Check session validity (used by Caddy forward_auth)
--- a/dashcaddy-api/routes/services.js
+++ b/dashcaddy-api/routes/services.js
@@ -371,9 +371,9 @@ module.exports = function(ctx) {
    res.json({ success: true, message: `Service "${id}" removed from dashboard` });
  }, 'services-delete'));

-  // Update service configuration (subdomain, port, IP, tailscale)
+  // Update service configuration (subdomain, port, IP, tailscale, name, logo)
  router.post('/services/update', ctx.asyncHandler(async (req, res) => {
-    const { oldSubdomain, newSubdomain, port, ip, tailscaleOnly } = req.body;
+    const { oldSubdomain, newSubdomain, port, ip, tailscaleOnly, name, logo } = req.body;

    if (!oldSubdomain || !newSubdomain) {
      return ctx.errorResponse(res, 400, 'oldSubdomain and newSubdomain are required');
@@ -440,13 +440,20 @@ module.exports = function(ctx) {
      await ctx.servicesStateManager.update(services => {
        const serviceIndex = services.findIndex(s => s.id === oldSubdomain);
        if (serviceIndex !== -1) {
+          const existing = services[serviceIndex];
+          const finalPort = port || existing.port;
+          const finalIp = ip || existing.ip;
+
          services[serviceIndex] = {
-            ...services[serviceIndex],
+            ...existing,
            id: newSubdomain,
-            port: port || services[serviceIndex].port,
-            ip: ip || services[serviceIndex].ip,
-            tailscaleOnly: tailscaleOnly || false
+            port: finalPort,
+            ip: finalIp,
+            tailscaleOnly: tailscaleOnly || false,
+            url: ctx.buildServiceUrl(newSubdomain)
          };
+          if (name) services[serviceIndex].name = name;
+          if (logo) services[serviceIndex].logo = logo;
          results.services = 'updated';
        } else {
          results.services = 'not found';