fix: add method="post" to auth forms to prevent credential leak in URL (#4683)

Auth forms (login, register, 2FA, backup-code, reset-password) had no method attribute, defaulting to GET. react-hook-form's handleSubmit preventDefault()s only after hydration; submitting in the pre-hydration or no-JS window triggers a native GET to the current URL, leaking email/password into the URL, history, access logs and Referer header. Setting method="post" makes the native fallback a POST so credentials go in the request body instead. Normal JS submit path is unchanged. Verified in a browser: GET (?email&password) -> POST (clean URL). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 03:25:22 +02:00 · 2026-06-30 02:03:13 +08:00
parent ed0abb2465
commit 8b6481501e
4 changed files with 10 additions and 1 deletions
--- a/apps/dokploy/pages/index.tsx
+++ b/apps/dokploy/pages/index.tsx
@@ -182,6 +182,7 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) {
 			{IS_CLOUD && <SignInWithGoogle />}
 			<Form {...loginForm}>
 				<form
+					method="post"
 					onSubmit={loginForm.handleSubmit(onSubmit)}
 					className="space-y-4"
 					id="login-form"
@@ -263,6 +264,7 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) {
 				) : (
 					<>
 						<form
+							method="post"
 							onSubmit={onTwoFactorSubmit}
 							className="space-y-4"
 							id="two-factor-form"
@@ -326,7 +328,11 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) {
 									</DialogDescription>
 								</DialogHeader>

-								<form onSubmit={onBackupCodeSubmit} className="space-y-4">
+								<form
+									method="post"
+									onSubmit={onBackupCodeSubmit}
+									className="space-y-4"
+								>
 									<div className="flex flex-col gap-2">
 										<Label>Backup Code</Label>
 										<Input
--- a/apps/dokploy/pages/register.tsx
+++ b/apps/dokploy/pages/register.tsx
@@ -172,6 +172,7 @@ const Register = ({ isCloud }: Props) => {
 							)}
 							<Form {...form}>
 								<form
+									method="post"
 									onSubmit={form.handleSubmit(onSubmit)}
 									className="grid gap-4"
 								>
--- a/apps/dokploy/pages/reset-password.tsx
+++ b/apps/dokploy/pages/reset-password.tsx
@@ -123,6 +123,7 @@ export default function Home({ tokenResetPassword }: Props) {
 						)}
 						<Form {...form}>
 							<form
+								method="post"
 								onSubmit={form.handleSubmit(onSubmit)}
 								className="grid gap-4"
 							>
--- a/apps/dokploy/pages/send-reset-password.tsx
+++ b/apps/dokploy/pages/send-reset-password.tsx
@@ -110,6 +110,7 @@ export default function Home() {
 						{!temp.is2FAEnabled ? (
 							<Form {...form}>
 								<form
+									method="post"
 									onSubmit={form.handleSubmit(onSubmit)}
 									className="grid gap-4"
 								>