fix(security): correct CSRF token expiration from nanoseconds to 1 hour

CybotTM · CybotTM · commit 129d143d623b · 2026-01-14T07:52:22.000+01:00
The CSRF Expiration was set to `3600` (integer) but Fiber's CSRF
middleware expects a `time.Duration`. Go interpreted this as
3600 nanoseconds (~3.6 microseconds), causing tokens to expire
instantly and all login attempts to fail with "CSRF token validation
failed".

Changed from `Expiration: 3600` to `Expiration: time.Hour`.
diff --git a/internal/web/server.go b/internal/web/server.go
@@ -188,7 +188,7 @@ func createCSRFConfig(opts *options.Opts) *fiber.Handler {
 		CookieSameSite: "Strict",          // Strict for maximum security with proxy trust enabled
 		CookieSecure:   opts.CookieSecure, // Configurable based on HTTPS availability
 		CookieHTTPOnly: true,
-		Expiration:     3600, // 1 hour
+		Expiration:     time.Hour,
 		KeyGenerator:   csrf.ConfigDefault.KeyGenerator,
 		ContextKey:     "token", // Store token in c.Locals("token") for template access
 		ErrorHandler: func(c *fiber.Ctx, err error) error {
