Compare commits
2 Commits
fix/contro
...
fix/csrf-d
| Author | SHA1 | Date | |
|---|---|---|---|
| fa567114d6 | |||
| 2b6bed2480 |
@@ -111,14 +111,9 @@ export class CsrfGuard implements CanActivate {
|
||||
|
||||
throw new ForbiddenException("CSRF token not bound to session");
|
||||
}
|
||||
} else {
|
||||
this.logger.debug({
|
||||
event: "CSRF_SKIP_SESSION_BINDING",
|
||||
method: request.method,
|
||||
path: request.path,
|
||||
reason: "User context not yet available (global guard runs before AuthGuard)",
|
||||
});
|
||||
}
|
||||
// Note: when userId is absent, the double-submit cookie check above is
|
||||
// sufficient CSRF protection. AuthGuard populates request.user afterward.
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user