fix(api): skip CSRF for Bearer-authenticated requests

fix(api): add AuthModule to FleetSettingsModule and ChatProxyModule (#621 )
Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
2026-03-01 13:01:06 -06:00 · 2026-03-01 18:06:49 +00:00 · 2026-03-01 17:52:10 +00:00
4 changed files with 20 additions and 2 deletions
--- a/apps/api/src/chat-proxy/chat-proxy.module.ts
+++ b/apps/api/src/chat-proxy/chat-proxy.module.ts
@@ -1,4 +1,5 @@
 import { Module } from "@nestjs/common";
+import { AuthModule } from "../auth/auth.module";
 import { AgentConfigModule } from "../agent-config/agent-config.module";
 import { ContainerLifecycleModule } from "../container-lifecycle/container-lifecycle.module";
 import { PrismaModule } from "../prisma/prisma.module";
@@ -6,7 +7,7 @@ import { ChatProxyController } from "./chat-proxy.controller";
 import { ChatProxyService } from "./chat-proxy.service";

@Module({
-  imports: [PrismaModule, ContainerLifecycleModule, AgentConfigModule],
+  imports: [AuthModule, PrismaModule, ContainerLifecycleModule, AgentConfigModule],
  controllers: [ChatProxyController],
  providers: [ChatProxyService],
  exports: [ChatProxyService],
--- a/apps/api/src/common/guards/csrf.guard.spec.ts
+++ b/apps/api/src/common/guards/csrf.guard.spec.ts
@@ -87,6 +87,17 @@ describe("CsrfGuard", () => {
  });

  describe("State-changing methods requiring CSRF", () => {
+    it("should allow POST with Bearer auth without CSRF token", () => {
+      const context = createContext(
+        "POST",
+        {},
+        { authorization: "Bearer api-token" },
+        false,
+        "user-123"
+      );
+      expect(guard.canActivate(context)).toBe(true);
+    });
+
    it("should reject POST without CSRF token", () => {
      const context = createContext("POST", {}, {}, false, "user-123");
      expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
--- a/apps/api/src/common/guards/csrf.guard.ts
+++ b/apps/api/src/common/guards/csrf.guard.ts
@@ -57,6 +57,11 @@ export class CsrfGuard implements CanActivate {
      return true;
    }

+    const authHeader = request.headers.authorization;
+    if (typeof authHeader === "string" && authHeader.startsWith("Bearer ")) {
+      return true;
+    }
+
    // Get CSRF token from cookie and header
    const cookies = request.cookies as Record<string, string> | undefined;
    const cookieToken = cookies?.["csrf-token"];
--- a/apps/api/src/fleet-settings/fleet-settings.module.ts
+++ b/apps/api/src/fleet-settings/fleet-settings.module.ts
@@ -1,11 +1,12 @@
 import { Module } from "@nestjs/common";
+import { AuthModule } from "../auth/auth.module";
 import { PrismaModule } from "../prisma/prisma.module";
 import { CryptoModule } from "../crypto/crypto.module";
 import { FleetSettingsController } from "./fleet-settings.controller";
 import { FleetSettingsService } from "./fleet-settings.service";

@Module({
-  imports: [PrismaModule, CryptoModule],
+  imports: [AuthModule, PrismaModule, CryptoModule],
  controllers: [FleetSettingsController],
  providers: [FleetSettingsService],
  exports: [FleetSettingsService],
Author	SHA1	Message	Date
Jason Woltje	97b14edbaa	fix(api): skip CSRF for Bearer-authenticated requests All checks were successful ci/woodpecker/push/ci Pipeline was successful Details	2026-03-01 13:01:06 -06:00
Jason Woltje	559c6b3831	fix(api): add AuthModule to FleetSettingsModule and ChatProxyModule (#621 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 18:06:49 +00:00
Jason Woltje	631e5010b5	fix(api): add ConfigModule to ContainerLifecycleModule imports (#620 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 17:52:10 +00:00