From 0bb057d65bc7c91840cd3bd81bd529319e3c032a Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Sat, 21 Feb 2026 15:43:01 +0000
Subject: [PATCH] Add CSRF tokens to login and choose-username forms

Both forms were missing the hidden csrf_token input,
causing 400 Bad Request on POST.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 templates/auth/login.html                 | 1 +
 templates/federation/choose_username.html | 1 +
 2 files changed, 2 insertions(+)

diff --git a/templates/auth/login.html b/templates/auth/login.html
index 87176dc..5e9ca5a 100644
--- a/templates/auth/login.html
+++ b/templates/auth/login.html
@@ -11,6 +11,7 @@
   {% endif %}
 
   <form method="post" action="{{ url_for('auth.start_login') }}" class="space-y-4">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
     <div>
       <label for="email" class="block text-sm font-medium mb-1">Email address</label>
       <input
diff --git a/templates/federation/choose_username.html b/templates/federation/choose_username.html
index 61c89c7..b4543c3 100644
--- a/templates/federation/choose_username.html
+++ b/templates/federation/choose_username.html
@@ -15,6 +15,7 @@
   {% endif %}
 
   <form method="post" class="space-y-4">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
     <div>
       <label for="username" class="block text-sm font-medium mb-1">Username</label>
       <div class="flex items-center">