Improve expired session and CSRF error handling

app/admin.py

@@ -40,13 +40,22 @@ from app.utils import pagination
 from app.utils.emoji import EMOJIS_BY_NAME
 
 
-def user_session_or_redirect(
+async def user_session_or_redirect(
     request: Request,
     session: str | None = Cookie(default=None),
 ) -> None:
+    if request.method == "POST":
+        form_data = await request.form()
+        if "redirect_url" in form_data:
+            redirect_url = form_data["redirect_url"]
+        else:
+            redirect_url = request.url_for("admin_stream")
+    else:
+        redirect_url = str(request.url)
+
     _RedirectToLoginPage = HTTPException(
         status_code=302,
-        headers={"Location": request.url_for("login") + f"?redirect={request.url}"},
+        headers={"Location": request.url_for("login") + f"?redirect={redirect_url}"},
     )
 
     if not session:

app/config.py

@@ -200,10 +200,19 @@ def generate_csrf_token() -> str:
     return csrf_serializer.dumps(secrets.token_hex(16))  # type: ignore
 
 
-def verify_csrf_token(csrf_token: str = Form()) -> None:
+def verify_csrf_token(
+    csrf_token: str = Form(),
+    redirect_url: str | None = Form(None),
+) -> None:
+    please_try_again = "please try again"
+    if redirect_url:
+        please_try_again = f'<a href="{redirect_url}">please try again</a>'
     try:
         csrf_serializer.loads(csrf_token, max_age=1800)
     except (itsdangerous.BadData, itsdangerous.SignatureExpired):
         logger.exception("Failed to verify CSRF token")
-        raise HTTPException(status_code=403, detail="CSRF error")
+        raise HTTPException(
+            status_code=403,
+            detail=f"The security token expired, {please_try_again}",
+        )
     return None

app/scss/main.scss

@@ -509,3 +509,9 @@ nav.flexbox {
     }
   }
 }
+
+.error-title {
+  a {
+    text-decoration: underline;
+  }
+}

app/templates/error.html

@@ -6,7 +6,7 @@
 {% endblock %}
 
 {% block content %}
-<div class="centered primary-color">
-    <h1>{{ title }}</h1>
+<div class="centered primary-color box">
+    <h1 class="error-title">{{ title | safe }}</h1>
 </div>
 {% endblock %}

docs/user_guide.md

@@ -33,7 +33,7 @@ Whenever one of these config items is updated, an `Update` activity will be sent
 
 The server will need to be restarted for taking changes into account.
 
-Before restarting, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking).
+Before restarting the server, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking).
 
 
 ### Profile metadata
@@ -161,7 +161,7 @@ And only the last 20 interactions (likes/shares/webmentions) will be displayed,
 
 ## Admin section
 
-You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin`.
+You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin/login`.
 The password is the one set during the initial configuration.
 
 ### Lookup