Add CSRF protection and token endpoint

Implement CSRF protection across HTTP API endpoints and expose a token endpoint. Changes include:

- Add docs: API and configuration docs updated to describe CSRF protection and the new GET /api/csrf-token endpoint.
- Config: add csrf_allowed_origins to config struct; parse comma-separated origin lists; include built-in localhost defaults and append web UI port-specific origins once port is known.
- confighttp: implement CSRF token generation, storage (with expiration), client identification, and validation logic. Validation allows same-origin requests via Origin/Referer to bypass tokens and requires X-CSRF-Token header or csrf_token query param for cross-origin requests. Register GET /api/csrf-token and integrate validation into state-changing endpoints.
- Web UI: add form field and localization strings for csrf_allowed_origins and include it in config HTML.
- Tests: add unit tests for CSRF token generation, header/query validation, same-origin exemptions, and restore/cleanup of config state.

Also remove usages of the old empty-body checker where CSRF/authentication flow was applied. This commit wires CSRF protection end-to-end (docs, config, server, UI, and tests).

Author: ReenigneArcher

docs/api.md

@@ -5,10 +5,38 @@ Sunshine has a RESTful API which can be used to interact with the service.
 Unless otherwise specified, authentication is required for all API calls. You can authenticate using
 basic authentication with the admin username and password.
 
+## CSRF Protection
+
+State-changing API endpoints (POST, DELETE) are protected against Cross-Site Request Forgery (CSRF) attacks.
+
+**For Web Browsers:**
+- Requests from same-origin (configured via `csrf_allowed_origins`) are automatically allowed
+- Cross-origin requests require a CSRF token
+
+**For Non-Browser Applications:**
+- Applications making requests from the same origin configured in `csrf_allowed_origins` do NOT need CSRF tokens
+- The `Origin` or `Referer` header is automatically checked
+- If your application is making requests from a different origin, you need to:
+  1. Get a CSRF token from `GET /api/csrf-token`
+  2. Include it in requests via `X-CSRF-Token` header or `csrf_token` query parameter
+
+**Example:**
+```bash
+# Get CSRF token (if needed)
+curl -u user:pass https://localhost:47990/api/csrf-token
+
+# Use token in request
+curl -u user:pass -H "X-CSRF-Token: your_token_here" \
+  -X POST https://localhost:47990/api/restart
+```
+
 @htmlonly
 <script src="api.js"></script>
 @endhtmlonly
 
+## GET /api/csrf-token
+@copydoc confighttp::getCSRFToken()
+
 ## GET /api/apps
 @copydoc confighttp::getApps()
 

docs/configuration.md

@@ -1606,6 +1606,35 @@ editing the `conf` file in a text editor. Use the examples as reference.
     </tr>
 </table>
 
+### csrf_allowed_origins
+
+<table>
+    <tr>
+        <td>Description</td>
+        <td colspan="2">
+            Comma-separated list of additional allowed origins for CSRF protection. These origins will be
+            appended to the default allowed origins (localhost variants and the configured web UI port).
+            Requests from allowed origins can access state-changing API endpoints without CSRF tokens.
+            <br><br>
+            @attention{Only add origins you trust. Each origin must be a complete URL prefix
+            including protocol and host (e.g., https://example.com). Port numbers are optional.}
+        </td>
+    </tr>
+    <tr>
+        <td>Default</td>
+        <td colspan="2">@code{}
+            (empty - uses built-in defaults: https://localhost, https://127.0.0.1, https://[::1],
+            with configured UI port variants)
+            @endcode</td>
+    </tr>
+    <tr>
+        <td>Example</td>
+        <td colspan="2">@code{}
+            csrf_allowed_origins = https://myapp.local,https://custom.domain.com
+            @endcode</td>
+    </tr>
+</table>
+
 ### external_ip
 
 <table>

src/config.cpp

@@ -5,6 +5,7 @@
 // standard includes
 #include <algorithm>
 #include <filesystem>
+#include <format>
 #include <fstream>
 #include <functional>
 #include <iostream>
@@ -725,6 +726,27 @@ namespace config {
     }
   }
 
+  void string_list_f(std::unordered_map<std::string, std::string> &vars, const std::string &name, std::vector<std::string> &input) {
+    std::string temp;
+    string_f(vars, name, temp);
+
+    if (temp.empty()) {
+      return;
+    }
+
+    input.clear();
+    std::stringstream ss(temp);
+    std::string item;
+    while (std::getline(ss, item, ',')) {
+      // Trim whitespace
+      item.erase(0, item.find_first_not_of(" \t\r\n"));
+      item.erase(item.find_last_not_of(" \t\r\n") + 1);
+      if (!item.empty()) {
+        input.push_back(item);
+      }
+    }
+  }
+
   void path_f(std::unordered_map<std::string, std::string> &vars, const std::string &name, fs::path &input) {
     // appdata needs to be retrieved once only
     static auto appdata = platf::appdata();
@@ -1165,6 +1187,24 @@ namespace config {
 
     string_restricted_f(vars, "origin_web_ui_allowed", nvhttp.origin_web_ui_allowed, {"pc"sv, "lan"sv, "wan"sv});
 
+    // Parse CSRF allowed origins - always include defaults, then append user-configured origins
+    std::vector<std::string> user_csrf_origins;
+    string_list_f(vars, "csrf_allowed_origins", user_csrf_origins);
+
+    // Start with default localhost variants
+    sunshine.csrf_allowed_origins = {
+      "https://localhost",
+      "https://127.0.0.1",
+      "https://[::1]"
+    };
+
+    // Append user-configured origins
+    sunshine.csrf_allowed_origins.insert(
+      sunshine.csrf_allowed_origins.end(),
+      user_csrf_origins.begin(),
+      user_csrf_origins.end()
+    );
+
     int to = -1;
     int_between_f(vars, "ping_timeout", to, {-1, std::numeric_limits<int>::max()});
     if (to != -1) {
@@ -1242,6 +1282,13 @@ namespace config {
     int_between_f(vars, "port"s, port, {1024 + nvhttp::PORT_HTTPS, 65535 - rtsp_stream::RTSP_SETUP_PORT});
     sunshine.port = (std::uint16_t) port;
 
+    // Now that we have the port, add web UI port-specific origins to CSRF allowed list
+    // Web UI runs on port + 1 (PORT_HTTPS offset is 1 for confighttp)
+    const unsigned short web_ui_port = sunshine.port + 1;
+    sunshine.csrf_allowed_origins.push_back(std::format("https://localhost:{}", web_ui_port));
+    sunshine.csrf_allowed_origins.push_back(std::format("https://127.0.0.1:{}", web_ui_port));
+    sunshine.csrf_allowed_origins.push_back(std::format("https://[::1]:{}", web_ui_port));
+
     string_restricted_f(vars, "address_family", sunshine.address_family, {"ipv4"sv, "both"sv});
     string_f(vars, "bind_address", sunshine.bind_address);
 

src/config.h

@@ -259,6 +259,10 @@ namespace config {
     bool notify_pre_releases;
     bool system_tray;
     std::vector<prep_cmd_t> prep_cmds;
+
+    // List of allowed origins for CSRF protection (e.g., "https://example.com,https://app.example.com")
+    // Comma-separated list of additional origins. Default includes localhost variants and web UI port.
+    std::vector<std::string> csrf_allowed_origins;
   };
 
   extern video_t video;