Security hardening and inline theme version history

Security improvements:
- Fix session security: use store's secure options instead of overriding
- Consolidate IP extraction: auth manager now uses middleware.GetClientIP
  with proper trusted proxy configuration
- Add CSP headers for public pages with permissive policy for CMS content

UI improvements:
- Display theme version history inline on /cm/theme page
- Remove separate Version History button (now shown below Save Theme)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: jonradoff

build.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.0"
+  "version": "1.1"
 }

internal/auth/auth.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"lightcms/internal/database"
+	"lightcms/internal/middleware"
 
 	"github.com/gorilla/sessions"
 	"golang.org/x/crypto/bcrypt"
@@ -19,14 +20,25 @@ const (
 )
 
 type Manager struct {
-	db    *database.DB
-	store *sessions.CookieStore
+	db          *database.DB
+	store       *sessions.CookieStore
+	proxyConfig *middleware.TrustedProxyConfig
 }
 
 func NewManager(store *sessions.CookieStore, db *database.DB) *Manager {
 	return &Manager{
-		db:    db,
-		store: store,
+		db:          db,
+		store:       store,
+		proxyConfig: middleware.DefaultCloudConfig(),
+	}
+}
+
+// NewManagerWithProxyConfig creates a new auth manager with custom proxy configuration
+func NewManagerWithProxyConfig(store *sessions.CookieStore, db *database.DB, proxyConfig *middleware.TrustedProxyConfig) *Manager {
+	return &Manager{
+		db:          db,
+		store:       store,
+		proxyConfig: proxyConfig,
 	}
 }
 
@@ -119,7 +131,7 @@ func (m *Manager) IsDefaultPassword(ctx context.Context) bool {
 
 // CheckRateLimit checks if the IP is rate limited
 func (m *Manager) CheckRateLimit(ctx context.Context, r *http.Request) (bool, string) {
-	ip := getClientIP(r)
+	ip := m.getClientIP(r)
 	locked, duration := m.db.IsLoginLocked(ctx, ip)
 	if locked {
 		minutes := int(duration.Minutes())
@@ -134,13 +146,13 @@ func (m *Manager) CheckRateLimit(ctx context.Context, r *http.Request) (bool, st
 
 // RecordFailedLogin records a failed login attempt
 func (m *Manager) RecordFailedLogin(ctx context.Context, r *http.Request) {
-	ip := getClientIP(r)
+	ip := m.getClientIP(r)
 	m.db.RecordFailedLogin(ctx, ip)
 }
 
 // ClearRateLimit clears rate limiting on successful login
 func (m *Manager) ClearRateLimit(ctx context.Context, r *http.Request) {
-	ip := getClientIP(r)
+	ip := m.getClientIP(r)
 	m.db.ClearLoginAttempts(ctx, ip)
 }
 
@@ -149,13 +161,9 @@ func (m *Manager) Login(w http.ResponseWriter, r *http.Request) error {
 	session, err := m.store.Get(r, sessionName)
 	if err != nil {
 		log.Printf("[LOGIN] store.Get error: %v, creating fresh session", err)
-		// Create a completely new session, ignoring any existing cookie
+		// Create a completely new session, inheriting options from store
 		session = sessions.NewSession(m.store, sessionName)
-		session.Options = &sessions.Options{
-			Path:     "/",
-			MaxAge:   86400 * 7,
-			HttpOnly: true,
-		}
+		session.Options = m.store.Options // Use store's secure options
 		session.IsNew = true
 	}
 	session.Values["authenticated"] = true
@@ -250,29 +258,9 @@ func ValidatePasswordStrength(password string) error {
 	return nil
 }
 
-// getClientIP extracts the client IP address
-func getClientIP(r *http.Request) string {
-	// Check X-Forwarded-For header (for proxies)
-	forwarded := r.Header.Get("X-Forwarded-For")
-	if forwarded != "" {
-		// Take the first IP in the list
-		parts := strings.Split(forwarded, ",")
-		return strings.TrimSpace(parts[0])
-	}
-
-	// Check X-Real-IP header
-	realIP := r.Header.Get("X-Real-IP")
-	if realIP != "" {
-		return realIP
-	}
-
-	// Fall back to RemoteAddr
-	ip := r.RemoteAddr
-	// Remove port if present
-	if colonIdx := strings.LastIndex(ip, ":"); colonIdx != -1 {
-		ip = ip[:colonIdx]
-	}
-	return ip
+// getClientIP extracts the client IP address using the configured proxy settings
+func (m *Manager) getClientIP(r *http.Request) string {
+	return middleware.GetClientIP(r, m.proxyConfig)
 }
 
 func formatDuration(minutes, seconds int) string {

internal/handlers/admin_templates.go

@@ -3013,7 +3013,6 @@ var adminTemplates = map[string]string{
 	"theme": adminLayoutStart + `
         <div class="page-header">
             <h1>Theme Settings</h1>
-            <a href="/cm/theme/versions" class="btn btn-outline">Version History</a>
         </div>
         {{if .Error}}<div class="error-message">{{.Error}}</div>{{end}}
         {{if .Success}}<div class="success-message">{{.Success}}</div>{{end}}
@@ -3119,6 +3118,45 @@ var adminTemplates = map[string]string{
             </div>
         </form>
 
+        {{if .Versions}}
+        <div class="form-card" style="margin-top: 2rem;">
+            <div class="form-section">
+                <h3>Version History</h3>
+                <p style="color: var(--text-muted); margin-bottom: 1rem;">Previous versions of theme settings are saved automatically when you update.</p>
+                <div class="table-container">
+                    <table>
+                        <thead>
+                            <tr>
+                                <th>Version</th>
+                                <th>Site Name</th>
+                                <th>Comment</th>
+                                <th>Saved</th>
+                                <th>Actions</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {{range .Versions}}
+                            <tr>
+                                <td>v{{.Version}}</td>
+                                <td>{{.SiteName}}</td>
+                                <td style="color: var(--text-muted); font-size: 0.9rem; max-width: 200px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;" title="{{.Comment}}">{{if .Comment}}{{.Comment}}{{else}}-{{end}}</td>
+                                <td>{{.CreatedAt.Format "Jan 2, 2006 3:04 PM"}}</td>
+                                <td class="actions">
+                                    <a href="/cm/theme/versions/{{.Version}}" class="btn btn-sm btn-outline">View Diff</a>
+                                    <form method="POST" action="/cm/theme/versions/{{.Version}}/revert" style="display:inline" onsubmit="return confirm('Revert to version {{.Version}}? This will create a new version with the old settings.')">
+                                        {{$.CSRFField}}
+                                        <button type="submit" class="btn btn-sm btn-secondary">Revert</button>
+                                    </form>
+                                </td>
+                            </tr>
+                            {{end}}
+                        </tbody>
+                    </table>
+                </div>
+            </div>
+        </div>
+        {{end}}
+
         <link href="https://cdn.jsdelivr.net/npm/quill@2.0.3/dist/quill.snow.css" rel="stylesheet">
         <script src="https://cdn.jsdelivr.net/npm/quill@2.0.3/dist/quill.js"></script>
         <style>

internal/handlers/handlers.go

@@ -2363,13 +2363,19 @@ func (h *Handler) ThemeSettings(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	settings, err := h.db.GetThemeSettings(r.Context())
+	ctx := r.Context()
+	settings, err := h.db.GetThemeSettings(ctx)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
-	h.renderAdmin(w, r, "theme", map[string]interface{}{"Settings": settings})
+	versions, _ := h.db.GetThemeVersions(ctx)
+
+	h.renderAdmin(w, r, "theme", map[string]interface{}{
+		"Settings": settings,
+		"Versions": versions,
+	})
 }
 
 func (h *Handler) UpdateTheme(w http.ResponseWriter, r *http.Request) {

internal/middleware/security.go

@@ -21,8 +21,7 @@ func SecurityHeaders(next http.Handler) http.Handler {
 			w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 		}
 
-		// Content Security Policy - restrictive but allows inline styles/scripts for admin
-		// Note: This is a baseline CSP. For public pages, a stricter CSP could be used
+		// Content Security Policy
 		if strings.HasPrefix(r.URL.Path, "/cm") {
 			// Admin pages - need inline scripts/styles for the UI
 			w.Header().Set("Content-Security-Policy",
@@ -35,6 +34,22 @@ func SecurityHeaders(next http.Handler) http.Handler {
 					"frame-ancestors 'none'; "+
 					"base-uri 'self'; "+
 					"form-action 'self'")
+		} else if !strings.HasPrefix(r.URL.Path, "/static/") && !strings.HasPrefix(r.URL.Path, "/assets/") {
+			// Public pages - more permissive for CMS content but still protective
+			// Allows inline scripts/styles for admin-authored content (analytics, widgets, etc.)
+			// Allows external resources for embeds, CDN images, etc.
+			w.Header().Set("Content-Security-Policy",
+				"default-src 'self'; "+
+					"script-src 'self' 'unsafe-inline' https:; "+
+					"style-src 'self' 'unsafe-inline' https:; "+
+					"font-src 'self' https: data:; "+
+					"img-src 'self' data: https:; "+
+					"media-src 'self' https:; "+
+					"frame-src https:; "+
+					"connect-src 'self' https:; "+
+					"frame-ancestors 'none'; "+
+					"base-uri 'self'; "+
+					"form-action 'self' https:")
 		}
 
 		next.ServeHTTP(w, r)