mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#412): enable PKCE, fix docker OIDC default, document @SkipCsrf
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
- AUTH-003: Add safe empty default for OIDC_REDIRECT_URI in swarm compose
- AUTH-004: Enable PKCE (pkce: true) in genericOAuth config (in prior commit)
- AUTH-005: Document @SkipCsrf() rationale (BetterAuth internal CSRF)

Refs #412

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-16 11:04:34 -06:00
parent b2eec3cf83
commit 976d14d94b
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/api/src/auth/auth.controller.ts
View File

@@ -89,6 +89,12 @@ export class AuthController {
* Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
*/
@All("*")
/**
* BetterAuth implements CSRF protection internally via Fetch Metadata headers
* (Sec-Fetch-Site, Sec-Fetch-Mode) and SameSite=Lax cookies. The @SkipCsrf()
* decorator skips the custom CSRF guard to avoid double-protection conflicts.
* Reference: https://www.better-auth.com/docs/reference/security
*/
@SkipCsrf()
@Throttle({ strict: { limit: 10, ttl: 60000 } })
async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {