Complete CSRF protection implementation #324

Closed

jason.woltje wants to merge 0 commits from fix/csrf-protection-complete into develop

pull from: fix/csrf-protection-complete

merge into: mosaic:develop

mosaic:main

mosaic:fix/ci-glibc-image

mosaic:fix/dockerfile-npmrc

mosaic:fix/matrix-native-binary

mosaic:fix/kaniko-cache

mosaic:fix/base-image-kaniko-v2

mosaic:fix/base-image-kaniko

mosaic:feat/custom-base-image

mosaic:ci/pnpm-cache

mosaic:fix/interceptor-tests

mosaic:fix/kanban-tests

mosaic:feat/wire-chat

mosaic:feat/usage-widget

mosaic:fix/security-hardening

mosaic:fix/project-domain-v2

mosaic:feat/kanban-add-task

mosaic:fix/project-domain-attach

mosaic:fix/logs-page-clean

mosaic:fix/workspace-members

mosaic:fix/ci-lint-632

mosaic:fix/file-manager-tags

mosaic:fix/csrf-debug-log

mosaic:fix/controller-type-imports

mosaic:fix/system-admin-env

mosaic:fix/gateway-cors-trusted-origins

mosaic:feat/project-detail-page

mosaic:fix/fleet-provider-form-dto-v2

mosaic:fix/ms22-audit

mosaic:fix/orchestrator-widgets

mosaic:fix/fleet-provider-form-dto

mosaic:fix/csrf-bearer-bypass

mosaic:fix/ms22-missing-authmodule-imports

mosaic:fix/container-lifecycle-config-module

mosaic:fix/swarm-compose-ms22-vars

mosaic:chore/ms22-p1-complete

mosaic:feat/ms22-p1h-settings-ui

mosaic:feat/ms22-p1f-onboarding-ui

mosaic:feat/ms22-p1i-chat-proxy

mosaic:feat/ms22-p1k-idle-reaper

mosaic:feat/ms22-p1j-docker

mosaic:feat/ms22-p1e-onboarding-api

mosaic:feat/ms22-p1g-settings-api

mosaic:feat/ms22-p1d-container-mgr

mosaic:feat/ms22-p1c-config-api

mosaic:chore/ms22-prd-tracking

mosaic:feat/ms22-p1a-schema

mosaic:feat/ms22-p1b-crypto

mosaic:chore/ms22-p1-tasks

mosaic:docs/ms22-architecture

mosaic:feat/ms22-openclaw-docker

mosaic:feat/ms22-openclaw-gateway-module

mosaic:chore/ms21-complete

mosaic:chore/ms21-final-tasks-done

mosaic:fix/ms21-ui-001-qa

mosaic:test/ms21-ui-tests

mosaic:chore/ms21-tasks-sync

mosaic:chore/ms22-phase0-complete

mosaic:feat/ms22-ingest-clean

mosaic:feat/ms21-ui-users-members

mosaic:feat/ms22-task-agent

mosaic:chore/tasks-final

mosaic:chore/tasks-update

mosaic:feat/ms21-session-invalidation

mosaic:feat/ms21-rbac-settings

mosaic:feat/ms21-teams-page

mosaic:feat/ms21-users-page

mosaic:feat/ms19-terminal-persistence

Conversation 0 Commits - Files Changed -

jason.woltje commented 2026-02-04 13:13:52 +00:00

Owner

Copy Link

Summary

Closes three CSRF security gaps identified in code review:

• Added X-CSRF-Token and X-Workspace-Id to CORS allowed headers - Updated to accept CSRF token headers from frontend
• Integrated CSRF token handling in web client - Added automatic token fetching, in-memory storage, inclusion in state-changing requests, and automatic refresh on 403 errors
• Applied CSRF Guard globally - Added as in for application-wide protection

Test Plan

• CSRF token fetching and caching works
• X-CSRF-Token header included in POST/PUT/PATCH/DELETE requests
• Automatic token refresh on 403 CSRF errors
• @SkipCsrf() decorator works for exempted endpoints
• All existing tests pass
• Type checking passes
• Linting passes

Changes

API (apps/api)

• : Added X-CSRF-Token and X-Workspace-Id to CORS allowedHeaders
• : Applied CsrfGuard globally as APP_GUARD

Web (apps/web)

• : Added CSRF token management (fetch, store, include, refresh)
• : Added comprehensive CSRF protection tests (35 total tests, all passing)

All tests passing. CSRF protection now enforced application-wide with automatic token management.

Generated with Claude Code

## Summary Closes three CSRF security gaps identified in code review: - **Added X-CSRF-Token and X-Workspace-Id to CORS allowed headers** - Updated to accept CSRF token headers from frontend - **Integrated CSRF token handling in web client** - Added automatic token fetching, in-memory storage, inclusion in state-changing requests, and automatic refresh on 403 errors - **Applied CSRF Guard globally** - Added as in for application-wide protection ## Test Plan - [x] CSRF token fetching and caching works - [x] X-CSRF-Token header included in POST/PUT/PATCH/DELETE requests - [x] Automatic token refresh on 403 CSRF errors - [x] @SkipCsrf() decorator works for exempted endpoints - [x] All existing tests pass - [x] Type checking passes - [x] Linting passes ## Changes ### API (apps/api) - : Added X-CSRF-Token and X-Workspace-Id to CORS allowedHeaders - : Applied CsrfGuard globally as APP_GUARD ### Web (apps/web) - : Added CSRF token management (fetch, store, include, refresh) - : Added comprehensive CSRF protection tests (35 total tests, all passing) All tests passing. CSRF protection now enforced application-wide with automatic token management. Generated with [Claude Code](https://claude.com/claude-code)

jason.woltje closed this pull request 2026-02-04 13:18:31 +00:00

jason.woltje referenced this issue from a commit 2026-02-08 08:10:04 +00:00

fix(test): Fix FilterBar and TaskList test failures

Some checks failed

Hide all checks

ci/woodpecker/push/woodpecker Pipeline failed

Details

ci/woodpecker/pr/woodpecker Pipeline failed

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#324