mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#410): skip CSRF guard on auth catch-all route
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
The global CsrfGuard blocks POST /auth/sign-in/oauth2 with 403 because
unauthenticated users have no session and therefore no CSRF token.
BetterAuth handles its own CSRF protection via toNodeHandler().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-16 03:41:50 -06:00
parent e2ffaa71b1
commit 3376d8162e
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/api/src/auth/auth.controller.ts
View File

@@ -5,6 +5,7 @@ import type { AuthUser, AuthSession } from "@mosaic/shared";
import { AuthService } from "./auth.service"; import { AuthService } from "./auth.service";
import { AuthGuard } from "./guards/auth.guard"; import { AuthGuard } from "./guards/auth.guard";
import { CurrentUser } from "./decorators/current-user.decorator"; import { CurrentUser } from "./decorators/current-user.decorator";
import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
interface RequestWithSession { interface RequestWithSession {
user?: AuthUser; user?: AuthUser;
@@ -88,6 +89,7 @@ export class AuthController {
* Rate limiting and logging are applied to mitigate abuse (SEC-API-10). * Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
*/ */
@All("*") @All("*")
@SkipCsrf()
@Throttle({ strict: { limit: 10, ttl: 60000 } }) @Throttle({ strict: { limit: 10, ttl: 60000 } })
async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> { async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
// Extract client IP for logging // Extract client IP for logging