fix(admin): resolve Medium code-review finding (Admin-006)

Emit <AntiforgeryToken /> in the MainLayout sign-out form and remove .DisableAntiforgery() from the /auth/logout endpoint so UseAntiforgery() validates the token. A tokenless POST now returns 400, preventing CSRF-logout. Regression-guarded by AuthEndpointsTests.Logout_without_antiforgery_token_is_rejected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 07:26:34 -04:00
parent 55c2a5a209
commit af454c6af6
4 changed files with 21 additions and 11 deletions
@@ -45,6 +45,7 @@
                            .Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))
                    </div>
                    <form method="post" action="/auth/logout">
+                        <AntiforgeryToken />
                        <button class="rail-btn" type="submit">Sign out</button>
                    </form>
                </Authorized>