From 9b7438a56d0ebace3979c9d55e79093e3dd94469 Mon Sep 17 00:00:00 2001
From: Jesse Hills <3060199+jesserockz@users.noreply.github.com>
Date: Tue, 19 Mar 2024 13:39:01 +1300
Subject: [PATCH] Require xsrf/csrf when using a password (#6396)

---
 esphome/dashboard/web_server.py | 6 ++++++
 requirements.txt                | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/esphome/dashboard/web_server.py b/esphome/dashboard/web_server.py
index 3de1d69115..9ee2312781 100644
--- a/esphome/dashboard/web_server.py
+++ b/esphome/dashboard/web_server.py
@@ -688,6 +688,11 @@ class MainRequestHandler(BaseHandler):
     @authenticated
     def get(self) -> None:
         begin = bool(self.get_argument("begin", False))
+        if settings.using_password:
+            # Simply accessing the xsrf_token sets the cookie for us
+            self.xsrf_token  # pylint: disable=pointless-statement
+        else:
+            self.clear_cookie("_xsrf")
 
         self.render(
             "index.template.html",
@@ -1102,6 +1107,7 @@ def make_app(debug=get_bool_env(ENV_DEV)) -> tornado.web.Application:
         "log_function": log_function,
         "websocket_ping_interval": 30.0,
         "template_path": get_base_frontend_path(),
+        "xsrf_cookies": settings.using_password,
     }
     rel = settings.relative_url
     return tornado.web.Application(
diff --git a/requirements.txt b/requirements.txt
index 9b5e06fc59..4b7e501e97 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,7 +12,7 @@ pyserial==3.5
 platformio==6.1.13  # When updating platformio, also update Dockerfile
 esptool==4.7.0
 click==8.1.7
-esphome-dashboard==20231107.0
+esphome-dashboard==20240319.0
 aioesphomeapi==23.1.1
 zeroconf==0.131.0
 python-magic==0.4.27