From 56c177c8170c1b4f526a796320ce91dce12ce27e Mon Sep 17 00:00:00 2001
From: Johan Lundberg <lundberg@sunet.se>
Date: Tue, 31 Mar 2026 15:24:16 +0200
Subject: [PATCH] fix: add CSRF tokens to admin forms and HTML5 validation
 hints

Add hidden CSRF token inputs to admin profile, groups, and invite
forms. Add maxlength, pattern, and title attributes to invite input.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/porchlight/templates/admin/user_detail.html | 2 ++
 src/porchlight/templates/admin/users.html       | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/porchlight/templates/admin/user_detail.html b/src/porchlight/templates/admin/user_detail.html
index f65717e..99138db 100644
--- a/src/porchlight/templates/admin/user_detail.html
+++ b/src/porchlight/templates/admin/user_detail.html
@@ -11,6 +11,7 @@
 <section>
     <h2>Profile</h2>
     <form hx-post="/admin/users/{{ target_user.userid }}/profile" hx-target="#profile-status" hx-swap="innerHTML">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
         <div>
             <label for="given_name">Given name</label>
             <input type="text" id="given_name" name="given_name" value="{{ target_user.given_name or '' }}" maxlength="255">
@@ -48,6 +49,7 @@
     <h2>Groups</h2>
     <div id="groups-section">
         <form hx-post="/admin/users/{{ target_user.userid }}/groups" hx-target="#groups-status" hx-swap="innerHTML">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
             <div id="group-list">
                 {% for group in target_user.groups %}
                 <span class="group-tag">{{ group }}</span>
diff --git a/src/porchlight/templates/admin/users.html b/src/porchlight/templates/admin/users.html
index 26d660b..675dd11 100644
--- a/src/porchlight/templates/admin/users.html
+++ b/src/porchlight/templates/admin/users.html
@@ -8,8 +8,11 @@
 <section>
     <h2>Create invite</h2>
     <form hx-post="/admin/invite" hx-target="#invite-status" hx-swap="innerHTML">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
         <div class="admin-search">
-            <input type="text" name="username" placeholder="Username for new invite" required>
+            <input type="text" name="username" placeholder="Username or email for new invite" required
+                   maxlength="255" pattern="[a-zA-Z0-9_.@-]+"
+                   title="Letters, digits, dots, hyphens, underscores, and @">
             <button type="submit">Create invite</button>
         </div>
     </form>