# CSRF Posture Review

Last reviewed: 2026-05-13

## Current Surface

WorkOnClock has these browser-write surfaces:

- NextAuth credential login and session routes.
- Next.js JSON route handlers under `apps/web/app/api`.
- Admin forms that submit through `fetch()` with `Content-Type: application/json`.
- Public registration, contact, password reset, and invite acceptance routes.

The NestJS runtime API is primarily used by the Electron desktop app with bearer JWT tokens.

## Current Protections

- NextAuth routes use NextAuth's built-in CSRF handling for auth actions.
- Admin API routes require authenticated sessions and permission checks.
- Browser write routes use JSON request bodies rather than simple form posts.
- Sensitive public routes have in-memory rate limiting:
  - login,
  - registration,
  - contact,
  - invite creation,
  - password reset request,
  - password reset confirmation.
- Session cookies use NextAuth defaults.
- Middleware protects `/admin` and internal API route access.
- Middleware rejects cross-origin authenticated write requests for protected `/api` routes.

## Risk Notes

- SameSite cookie settings should be reviewed in the deployed environment.
- JSON-only requests reduce basic CSRF exposure, but do not replace explicit anti-CSRF tokens for high-risk writes.
- Public write routes are intentionally unauthenticated and rely on validation plus rate limiting.
- In-memory rate limiting is not sufficient for horizontally scaled production.

## Recommended Production Controls

1. Keep NextAuth CSRF protection enabled.
2. Enforce `sameSite=lax` or stricter cookie behavior unless a deployment requirement prevents it.
3. Keep the middleware origin checks for authenticated mutating route handlers:
   - allow configured app origin,
   - allow localhost/deployed app origin,
   - reject unexpected cross-origin browser requests.
4. Keep all admin writes as JSON APIs and avoid accepting `application/x-www-form-urlencoded` writes unless CSRF tokens are present.
5. Move rate limiting to Redis/shared store before horizontal scaling.
6. Add automated tests for:
   - unauthenticated write rejection,
   - permission rejection,
   - unexpected origin rejection once origin checks are enforced,
   - public route rate limits.

## Implementation Plan

Short-term:

- Add auth smoke tests for login, session protection, permission gates, and tenant boundaries.
- Keep auth smoke coverage for unexpected-origin write rejection.

Medium-term:

- Add CSRF token validation for any non-JSON form posts.
- Add centralized API route wrappers for auth, permission, origin, validation, and error response handling.
- Add external WAF/rate-limit rules for public write routes.

Current status: reviewed and documented. Full origin enforcement is still pending.