From 976d14d94b3893a283b606456759d776ac727ddd Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Mon, 16 Feb 2026 11:04:34 -0600 Subject: [PATCH] fix(#412): enable PKCE, fix docker OIDC default, document @SkipCsrf - AUTH-003: Add safe empty default for OIDC_REDIRECT_URI in swarm compose - AUTH-004: Enable PKCE (pkce: true) in genericOAuth config (in prior commit) - AUTH-005: Document @SkipCsrf() rationale (BetterAuth internal CSRF) Refs #412 Co-Authored-By: Claude Opus 4.6 --- apps/api/src/auth/auth.controller.ts | 6 ++++++ docker-compose.swarm.portainer.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts index c3f98b6..bb2e2d7 100644 --- a/apps/api/src/auth/auth.controller.ts +++ b/apps/api/src/auth/auth.controller.ts @@ -89,6 +89,12 @@ export class AuthController { * Rate limiting and logging are applied to mitigate abuse (SEC-API-10). */ @All("*") + /** + * BetterAuth implements CSRF protection internally via Fetch Metadata headers + * (Sec-Fetch-Site, Sec-Fetch-Mode) and SameSite=Lax cookies. The @SkipCsrf() + * decorator skips the custom CSRF guard to avoid double-protection conflicts. + * Reference: https://www.better-auth.com/docs/reference/security + */ @SkipCsrf() @Throttle({ strict: { limit: 10, ttl: 60000 } }) async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise { diff --git a/docker-compose.swarm.portainer.yml b/docker-compose.swarm.portainer.yml index 7ad1e55..a544963 100644 --- a/docker-compose.swarm.portainer.yml +++ b/docker-compose.swarm.portainer.yml @@ -293,7 +293,7 @@ services: OIDC_ISSUER: ${OIDC_ISSUER} OIDC_CLIENT_ID: ${OIDC_CLIENT_ID} OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET} - OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-http://localhost:3001/auth/callback} + OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-} JWT_SECRET: ${JWT_SECRET:-change-this-to-a-random-secret} JWT_EXPIRATION: ${JWT_EXPIRATION:-24h} BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}