From 8b6481501e6e379b9ce32c4da4201fcb7a65364a Mon Sep 17 00:00:00 2001
From: viky <112059651+vikyw89@users.noreply.github.com>
Date: Tue, 30 Jun 2026 02:03:13 +0800
Subject: [PATCH] fix: add method="post" to auth forms to prevent credential
 leak in URL (#4683)

Auth forms (login, register, 2FA, backup-code, reset-password) had no
method attribute, defaulting to GET. react-hook-form's handleSubmit
preventDefault()s only after hydration; submitting in the pre-hydration
or no-JS window triggers a native GET to the current URL, leaking
email/password into the URL, history, access logs and Referer header.

Setting method="post" makes the native fallback a POST so credentials
go in the request body instead. Normal JS submit path is unchanged.
Verified in a browser: GET (?email&password) -> POST (clean URL).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 apps/dokploy/pages/index.tsx               | 8 +++++++-
 apps/dokploy/pages/register.tsx            | 1 +
 apps/dokploy/pages/reset-password.tsx      | 1 +
 apps/dokploy/pages/send-reset-password.tsx | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/apps/dokploy/pages/index.tsx b/apps/dokploy/pages/index.tsx
index a9aaf7263..8e53e4658 100644
--- a/apps/dokploy/pages/index.tsx
+++ b/apps/dokploy/pages/index.tsx
@@ -182,6 +182,7 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) {
 			{IS_CLOUD && <SignInWithGoogle />}
 			<Form {...loginForm}>
 				<form
+					method="post"
 					onSubmit={loginForm.handleSubmit(onSubmit)}
 					className="space-y-4"
 					id="login-form"
@@ -263,6 +264,7 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) {
 				) : (
 					<>
 						<form
+							method="post"
 							onSubmit={onTwoFactorSubmit}
 							className="space-y-4"
 							id="two-factor-form"
@@ -326,7 +328,11 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) {
 									</DialogDescription>
 								</DialogHeader>
 
-								<form onSubmit={onBackupCodeSubmit} className="space-y-4">
+								<form
+									method="post"
+									onSubmit={onBackupCodeSubmit}
+									className="space-y-4"
+								>
 									<div className="flex flex-col gap-2">
 										<Label>Backup Code</Label>
 										<Input
diff --git a/apps/dokploy/pages/register.tsx b/apps/dokploy/pages/register.tsx
index 865a7b75d..9e3a18c65 100644
--- a/apps/dokploy/pages/register.tsx
+++ b/apps/dokploy/pages/register.tsx
@@ -172,6 +172,7 @@ const Register = ({ isCloud }: Props) => {
 							)}
 							<Form {...form}>
 								<form
+									method="post"
 									onSubmit={form.handleSubmit(onSubmit)}
 									className="grid gap-4"
 								>
diff --git a/apps/dokploy/pages/reset-password.tsx b/apps/dokploy/pages/reset-password.tsx
index eff238979..46a655298 100644
--- a/apps/dokploy/pages/reset-password.tsx
+++ b/apps/dokploy/pages/reset-password.tsx
@@ -123,6 +123,7 @@ export default function Home({ tokenResetPassword }: Props) {
 						)}
 						<Form {...form}>
 							<form
+								method="post"
 								onSubmit={form.handleSubmit(onSubmit)}
 								className="grid gap-4"
 							>
diff --git a/apps/dokploy/pages/send-reset-password.tsx b/apps/dokploy/pages/send-reset-password.tsx
index 63154d050..7d3c47d51 100644
--- a/apps/dokploy/pages/send-reset-password.tsx
+++ b/apps/dokploy/pages/send-reset-password.tsx
@@ -110,6 +110,7 @@ export default function Home() {
 						{!temp.is2FAEnabled ? (
 							<Form {...form}>
 								<form
+									method="post"
 									onSubmit={form.handleSubmit(onSubmit)}
 									className="grid gap-4"
 								>