fix: Complete CSRF protection implementation

Closes three CSRF security gaps identified in code review: 1. Added X-CSRF-Token and X-Workspace-Id to CORS allowed headers - Updated apps/api/src/main.ts to accept CSRF token headers 2. Integrated CSRF token handling in web client - Added fetchCsrfToken() to fetch token from API - Store token in memory (not localStorage for security) - Automatically include X-CSRF-Token in POST/PUT/PATCH/DELETE - Implement automatic token refresh on 403 CSRF errors - Added comprehensive test coverage for CSRF functionality 3. Applied CSRF Guard globally - Added CsrfGuard as APP_GUARD in app.module.ts - Verified @SkipCsrf() decorator works for exempted endpoints All tests passing. CSRF protection now enforced application-wide. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-04 07:12:42 -06:00
parent 41f1dc48ed
commit 3a98b78661
4 changed files with 434 additions and 5 deletions
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -75,7 +75,7 @@ async function bootstrap() {
    },
    credentials: true, // Required for cookie-based authentication
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-    allowedHeaders: ["Content-Type", "Authorization", "Cookie"],
+    allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],
    exposedHeaders: ["Set-Cookie"],
    maxAge: 86400, // 24 hours - cache preflight requests
  });