feat(security): #328 delete old sessions for change and forgot password

handler/middleware/cross_site_request_forgery.go

@@ -61,7 +61,9 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 			}
 
-			if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
+			// Always sign in anonymous
+			// This way, there is no way to forget creating a csrf token
+			if session == nil {
 				session, _ = auth.SignInAnonymous()
 
 				cookie := CreateSessionCookie(session.Id)

handler/middleware/security_headers.go

@@ -14,13 +14,13 @@ func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Han
 			w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
 			w.Header().Set("Content-Security-Policy",
-				"default-src 'none';"+
-					"script-src 'self' https://umami.me-fit.eu"+
-					"connect-src 'self' https://umami.me-fit.eu"+
-					"img-src 'self'"+
-					"style-src 'self'"+
-					"form-action 'self'"+
-					"frame-ancestors 'none'",
+				"default-src 'none'; "+
+					"script-src 'self' https://umami.me-fit.eu; "+
+					"connect-src 'self' https://umami.me-fit.eu; "+
+					"img-src 'self'; "+
+					"style-src 'self'; "+
+					"form-action 'self'; "+
+					"frame-ancestors 'none'; ",
 			)
 			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 			w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")