fix(security): use session-based CSRF storage for persistence (#392)

## Summary

- **Root cause fix**: CSRF middleware was using its own internal
in-memory storage, causing tokens to fail validation
- The v1.1.2 fix corrected the expiration duration but didn't address
the underlying storage issue
- Now uses session-based CSRF storage which persists tokens in the
session store (BBolt when `PersistSessions=true`)

## Root Cause Analysis

The CSRF middleware was configured without a `Session` parameter, which
caused it to use its own internal `memory.New()` storage. This meant:

1. CSRF tokens were stored in a separate in-memory storage from the
session store
2. Tokens were lost on container restart
3. The token lookup failed with "csrf token not found" errors

## Changes

1. **`internal/web/server.go`**: Pass `sessionStore` to
`createCSRFConfig()` and configure CSRF with `Session` and `SessionKey`
parameters
2. **`internal/web/cookie_security_test.go`**: Update tests for
session-based CSRF (requires session cookie, not separate csrf_ cookie)

## Test plan

- [x] All existing CSRF tests pass
- [x] Full test suite passes
- [x] Linter passes with 0 issues
- [ ] Test on production after deployment

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: CybotTM

internal/web/cookie_security_test.go

@@ -50,7 +50,7 @@ func TestCookieSecurityWithHTTPS(t *testing.T) {
 	}
 
 	// Test CSRF handler creation doesn't panic
-	csrfHandler := createCSRFConfig(opts)
+	csrfHandler := createCSRFConfig(opts, sessionStore)
 	if csrfHandler == nil {
 		t.Fatal("Expected CSRF handler, got nil")
 	}
@@ -89,7 +89,7 @@ func TestCookieSecurityWithHTTP(t *testing.T) {
 	}
 
 	// Test CSRF handler creation doesn't panic
-	csrfHandler := createCSRFConfig(opts)
+	csrfHandler := createCSRFConfig(opts, sessionStore)
 	if csrfHandler == nil {
 		t.Fatal("Expected CSRF handler, got nil")
 	}
@@ -147,15 +147,15 @@ func TestCookieSecureConfiguration(t *testing.T) {
 			}
 
 			// Test CSRF handler creation with configuration
-			csrfHandler := createCSRFConfig(opts)
+			csrfHandler := createCSRFConfig(opts, sessionStore)
 			if csrfHandler == nil {
 				t.Fatal("Expected CSRF handler, got nil")
 			}
 		})
 	}
 }
 
-// TestCSRFConfigurationAcceptsOpts verifies CSRF handler accepts options parameter
+// TestCSRFConfigurationAcceptsOpts verifies CSRF handler accepts options and session store parameters
 func TestCSRFConfigurationAcceptsOpts(t *testing.T) {
 	opts := &options.Opts{
 		LDAP: ldap.Config{
@@ -176,14 +176,20 @@ func TestCSRFConfigurationAcceptsOpts(t *testing.T) {
 		PoolAcquireTimeout:      10 * time.Second,
 	}
 
-	// Verify CSRF handler creation accepts opts parameter (fixes the signature change)
-	csrfHandler := createCSRFConfig(opts)
+	// Create session store for CSRF middleware
+	sessionStore := createSessionStore(opts)
+	if sessionStore == nil {
+		t.Fatal("Expected session store, got nil")
+	}
+
+	// Verify CSRF handler creation accepts opts and sessionStore parameters
+	csrfHandler := createCSRFConfig(opts, sessionStore)
 	if csrfHandler == nil {
 		t.Fatal("Expected CSRF handler, got nil")
 	}
 
 	// Handler created successfully - type is fiber.Handler (internal Fiber type)
-	t.Log("CSRF handler created successfully with opts parameter")
+	t.Log("CSRF handler created successfully with opts and sessionStore parameters")
 }
 
 // TestCSRFTokenValidation verifies that CSRF tokens are properly validated on POST requests.
@@ -210,13 +216,15 @@ func TestCSRFTokenValidation(t *testing.T) {
 		PoolAcquireTimeout:      10 * time.Second,
 	}
 
-	// Create a test Fiber app with CSRF middleware
-	f := fiber.New()
-	csrfHandler := createCSRFConfig(opts)
+	// Create session store first for CSRF middleware
 	sessionStore := session.New(session.Config{
 		Storage: memory.New(),
 	})
 
+	// Create a test Fiber app with CSRF middleware
+	f := fiber.New()
+	csrfHandler := createCSRFConfig(opts, sessionStore)
+
 	// Test endpoint that returns CSRF token on GET and validates on POST
 	f.All("/test-csrf", *csrfHandler, func(c *fiber.Ctx) error {
 		sess, err := sessionStore.Get(c)
@@ -293,7 +301,8 @@ func TestCSRFTokenValidation(t *testing.T) {
 	})
 
 	t.Run("POST with valid CSRF token succeeds", func(t *testing.T) {
-		// Step 1: GET to obtain CSRF token and cookie
+		// Step 1: GET to obtain CSRF token and session cookie
+		// With session-based CSRF, the token is stored in the session
 		getReq := httptest.NewRequest("GET", "/test-csrf", nil)
 		getResp, err := f.Test(getReq)
 		if err != nil {
@@ -313,25 +322,21 @@ func TestCSRFTokenValidation(t *testing.T) {
 		}
 		csrfToken := tokenMatch[1]
 
-		// Extract CSRF cookie
-		var csrfCookie *http.Cookie
-		for _, cookie := range getResp.Cookies() {
-			if strings.HasPrefix(cookie.Name, "csrf_") {
-				csrfCookie = cookie
-
-				break
-			}
-		}
-
-		if csrfCookie == nil {
-			t.Fatal("CSRF cookie not found in response")
+		// Extract all cookies (session cookie contains the CSRF token with session-based CSRF)
+		cookies := getResp.Cookies()
+		if len(cookies) == 0 {
+			t.Fatal("No cookies found in response (session cookie required for session-based CSRF)")
 		}
 
-		// Step 2: POST with valid CSRF token and cookie
+		// Step 2: POST with valid CSRF token and all cookies (including session cookie)
 		postReq := httptest.NewRequest("POST", "/test-csrf",
 			strings.NewReader("csrf_token="+csrfToken+"&data=test"))
 		postReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		postReq.AddCookie(csrfCookie)
+
+		// Add all cookies from GET response (session-based CSRF needs the session cookie)
+		for _, cookie := range cookies {
+			postReq.AddCookie(cookie)
+		}
 
 		postResp, err := f.Test(postReq)
 		if err != nil {

internal/web/server.go

@@ -119,7 +119,7 @@ func NewApp(opts *options.Opts) (*App, error) {
 	sessionStore := createSessionStore(opts)
 	templateCache := NewTemplateCache(DefaultTemplateCacheConfig())
 	f := createFiberApp()
-	csrfHandler := *createCSRFConfig(opts)
+	csrfHandler := *createCSRFConfig(opts, sessionStore)
 
 	// Load asset manifest for cache-busted files
 	manifestPath := "internal/web/static/manifest.json"
@@ -181,7 +181,9 @@ func setupMiddleware(f *fiber.App) {
 }
 
 // createCSRFConfig creates and returns CSRF middleware configuration
-func createCSRFConfig(opts *options.Opts) *fiber.Handler {
+// Uses session-based storage to ensure CSRF tokens persist across requests
+// and survive container restarts when PersistSessions is enabled.
+func createCSRFConfig(opts *options.Opts, sessionStore *session.Store) *fiber.Handler {
 	csrfHandler := csrf.New(csrf.Config{
 		KeyLookup:      "form:csrf_token",
 		CookieName:     "csrf_",
@@ -190,7 +192,9 @@ func createCSRFConfig(opts *options.Opts) *fiber.Handler {
 		CookieHTTPOnly: true,
 		Expiration:     time.Hour,
 		KeyGenerator:   csrf.ConfigDefault.KeyGenerator,
-		ContextKey:     "token", // Store token in c.Locals("token") for template access
+		Session:        sessionStore, // Use session-based CSRF storage for persistence
+		SessionKey:     "csrf_token", // Key to store CSRF token in session
+		ContextKey:     "token",      // Store token in c.Locals("token") for template access
 		ErrorHandler: func(c *fiber.Ctx, err error) error {
 			log.Warn().Err(err).Msg("CSRF validation failed")
 			c.Status(fiber.StatusForbidden)