From 5207d8c0c93a7b160d42e1097ef1994e6a80227b Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Tue, 3 Mar 2026 12:36:01 -0600
Subject: [PATCH] fix(chat): skip CSRF for guest endpoint

---
 apps/api/src/chat-proxy/chat-proxy.controller.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/api/src/chat-proxy/chat-proxy.controller.ts b/apps/api/src/chat-proxy/chat-proxy.controller.ts
index 763e56d..ad38272 100644
--- a/apps/api/src/chat-proxy/chat-proxy.controller.ts
+++ b/apps/api/src/chat-proxy/chat-proxy.controller.ts
@@ -1,6 +1,7 @@
 import { Body, Controller, HttpException, Logger, Post, Req, Res, UseGuards } from "@nestjs/common";
 import type { Response } from "express";
 import { AuthGuard } from "../auth/guards/auth.guard";
+import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
 import type { MaybeAuthenticatedRequest } from "../auth/types/better-auth-request.interface";
 import { ChatStreamDto } from "./chat-proxy.dto";
 import { ChatProxyService } from "./chat-proxy.service";
@@ -14,6 +15,7 @@ export class ChatProxyController {
   // POST /api/chat/guest
   // Guest chat endpoint - no authentication required
   // Uses a shared LLM configuration for unauthenticated users
+  @SkipCsrf()
   @Post("guest")
   async guestChat(
     @Body() body: ChatStreamDto,