fix(security): require CSRF-protected POST to consume a registration link

GET /register/{token} consumed the magic-link token and created a session, so a side-effecting state change happened on a safe method — link prefetchers, email scanners, or a cross-site GET could trigger account setup/login. Split the flow: GET validates the token (without consuming) and renders a confirmation form; POST /register/{token} consumes the token, runs the existing checks, and establishes the session. The POST carries a CSRF token and the session is reset on login as for other auth paths. Refs: porchlight-9k0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 13:40:30 +02:00 · 2026-06-05 13:40:30 +02:00 · baef5e0e2e
commit baef5e0e2e
parent efb265a68b
6 changed files with 96 additions and 10 deletions
--- a/tests/test_auth_routes/test_register_magic_link.py
+++ b/tests/test_auth_routes/test_register_magic_link.py
@ -4,6 +4,7 @@ from httpx import AsyncClient
 from porchlight.authn.password import PasswordService
 from porchlight.invite.service import MagicLinkService
 from porchlight.models import PasswordCredential, User
+from tests.conftest import get_csrf_token


 async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
@ -23,14 +24,33 @@ async def test_register_expired_token_returns_error_page(client: AsyncClient) ->
    assert "Invalid or expired" in res.text


-async def test_register_valid_token_creates_user_and_redirects(client: AsyncClient) -> None:
+async def test_register_get_does_not_consume_token(client: AsyncClient) -> None:
+    """GET is side-effect free: it shows a confirmation form and must not
+    consume the token or create a session."""
+    app = client._transport.app  # type: ignore[union-attr]
+    magic_link_service = app.state.magic_link_service
+
+    link = await magic_link_service.create(username="newuser")
+    res = await client.get(f"/register/{link.token}", follow_redirects=False)
+    assert res.status_code == 200
+    assert f'action="/register/{link.token}"' in res.text
+    # Token still valid (not consumed by the GET).
+    assert await magic_link_service.validate(link.token) is not None
+
+
+async def test_register_post_creates_user_and_redirects(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
    magic_link_service = app.state.magic_link_service
    user_repo = app.state.user_repo

    link = await magic_link_service.create(username="newuser")

-    res = await client.get(f"/register/{link.token}", follow_redirects=False)
+    csrf = await get_csrf_token(client)
+    res = await client.post(
+        f"/register/{link.token}",
+        headers={"X-CSRF-Token": csrf},
+        follow_redirects=False,
+    )
    assert res.status_code in (302, 303)
    assert "/manage/credentials" in res.headers["location"]
    assert "setup=1" in res.headers["location"]
@ -44,6 +64,17 @@ async def test_register_valid_token_creates_user_and_redirects(client: AsyncClie
    assert "users" in user.groups


+async def test_register_post_requires_csrf(client: AsyncClient) -> None:
+    app = client._transport.app  # type: ignore[union-attr]
+    magic_link_service = app.state.magic_link_service
+    link = await magic_link_service.create(username="newuser")
+
+    res = await client.post(f"/register/{link.token}", follow_redirects=False)
+    assert res.status_code == 403
+    # Token must not have been consumed by the rejected request.
+    assert await magic_link_service.validate(link.token) is not None
+
+
 async def test_register_used_token_returns_error(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
    magic_link_service = app.state.magic_link_service
@ -67,7 +98,12 @@ async def test_register_existing_user_logs_in_and_redirects(client: AsyncClient)

    link = await magic_link_service.create(username="admin")

-    res = await client.get(f"/register/{link.token}", follow_redirects=False)
+    csrf = await get_csrf_token(client)
+    res = await client.post(
+        f"/register/{link.token}",
+        headers={"X-CSRF-Token": csrf},
+        follow_redirects=False,
+    )
    assert res.status_code in (302, 303)
    assert "/manage/credentials" in res.headers["location"]
    assert "setup=1" in res.headers["location"]
@ -96,7 +132,12 @@ async def test_register_rejects_user_that_already_has_credentials(client: AsyncC
    await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("existing-pass")))

    link = await magic_link_service.create(username="hascreds")
-    res = await client.get(f"/register/{link.token}", follow_redirects=False)
+    csrf = await get_csrf_token(client)
+    res = await client.post(
+        f"/register/{link.token}",
+        headers={"X-CSRF-Token": csrf},
+        follow_redirects=False,
+    )

    # No passwordless login: rejected, not redirected to setup.
    assert res.status_code == 400