update readme and build

internals/auth.go

@@ -11,6 +11,44 @@ import (
 	"time"
 )
 
+// ── CSRF ──────────────────────────────────────────────────────────────
+
+func newCSRFToken() string {
+	b := make([]byte, 24)
+	rand.Read(b) //nolint:errcheck
+	return hex.EncodeToString(b)
+}
+
+// setCSRFCookie writes a fresh CSRF token to a short-lived cookie and returns
+// the token value so it can be embedded in the rendered HTML form.
+func setCSRFCookie(w http.ResponseWriter) string {
+	tok := newCSRFToken()
+	http.SetCookie(w, &http.Cookie{
+		Name:     csrfCookieName,
+		Value:    tok,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+		MaxAge:   900, // 15 min — covers slow typists
+	})
+	return tok
+}
+
+// checkCSRF returns true iff the submitted csrf_token form field matches the
+// cookie value (constant-time compare to prevent timing side-channels).
+func checkCSRF(r *http.Request) bool {
+	c, err := r.Cookie(csrfCookieName)
+	if err != nil || c.Value == "" {
+		return false
+	}
+	formTok := r.FormValue("csrf_token")
+	if formTok == "" {
+		return false
+	}
+	return hmac.Equal([]byte(c.Value), []byte(formTok))
+}
+
 func checkCreds(username, password string) bool {
 	if username != appCreds.Username {
 		return false