fix(api): resolve CSRF guard ordering with global AuthGuard (#514)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/api/src/common/guards/csrf.guard.ts

@@ -89,30 +89,30 @@ export class CsrfGuard implements CanActivate {
       throw new ForbiddenException("CSRF token mismatch");
     }
 
-    // Validate session binding via HMAC
+    // Validate session binding via HMAC when user context is available.
+    // CsrfGuard is a global guard (APP_GUARD) that runs before per-controller
+    // AuthGuard, so request.user may not be populated yet. In that case, the
+    // double-submit cookie match above is sufficient CSRF protection.
     const userId = request.user?.id;
-    if (!userId) {
-      this.logger.warn({
-        event: "CSRF_NO_USER_CONTEXT",
+    if (userId) {
+      if (!this.csrfService.validateToken(cookieToken, userId)) {
+        this.logger.warn({
+          event: "CSRF_SESSION_BINDING_INVALID",
+          method: request.method,
+          path: request.path,
+          securityEvent: true,
+          timestamp: new Date().toISOString(),
+        });
+
+        throw new ForbiddenException("CSRF token not bound to session");
+      }
+    } else {
+      this.logger.debug({
+        event: "CSRF_SKIP_SESSION_BINDING",
         method: request.method,
         path: request.path,
-        securityEvent: true,
-        timestamp: new Date().toISOString(),
+        reason: "User context not yet available (global guard runs before AuthGuard)",
       });
-
-      throw new ForbiddenException("CSRF validation requires authentication");
-    }
-
-    if (!this.csrfService.validateToken(cookieToken, userId)) {
-      this.logger.warn({
-        event: "CSRF_SESSION_BINDING_INVALID",
-        method: request.method,
-        path: request.path,
-        securityEvent: true,
-        timestamp: new Date().toISOString(),
-      });
-
-      throw new ForbiddenException("CSRF token not bound to session");
     }
 
     return true;