Public-form CSRF tokens (HMAC + anon-cookie binding)

[tayebmokni]

Summary

Implement public-form CSRF tokens per doc 13 §10.1 for comments, plugin-provided contact forms, and search-tracking POSTs. Each form renders with a token that is the HMAC of (anon-id || form-id || timestamp) signed with auth.session_signing_key. Anon-session is an opaque cookie __site_anon (HttpOnly, SameSite=Lax, Secure, Path=/, max-age 30d). Submit verifies both the token HMAC and the anon-cookie binding. Origin/Referer must match the site origin for state-changing POSTs. High-stakes forms (e.g., password recovery) use single-use tokens.

Design reference

• docs/13-security-baseline.md §10.1 (public-form CSRF tokens), §10.2 (GraphQL mutations)

Acceptance criteria

• __site_anon cookie set on first visit (HttpOnly, SameSite=Lax, Secure, Path=/, max-age 30d, random UUID)
• Token = HMAC(anon-id || form-id || timestamp, auth.session_signing_key), 12h validity
• Server verifies token HMAC + cookie binding + timestamp window on submit
• Origin or Referer matches site origin for state-changing POSTs (rejects mismatched)
• Single-use enforcement for high-stakes forms (e.g., password recovery) via replay cache
• Form helper API for emitting the hidden token field
• Public GraphQL mutations require the public-form token or are blocked
• Tests cover happy path, expired token, missing cookie, bad origin, replayed single-use

Dependencies

#105

Complexity

M

[tayebmokni]

Closing as DONE — implementation landed across the 280+ PRs shipped to date. See triage-report.md (2026-05-25 backlog audit) for the specific file/package evidence. Re-open with a specific gap if any acceptance criterion is missed.