mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(api): resolve CSRF guard ordering with global AuthGuard #514

Merged
jason.woltje merged 1 commits from fix/csrf-guard-ordering into main 2026-02-26 02:26:03 +00:00
Conversation 0 Commits 1 Files Changed 2 +26 -24
jason.woltje commented 2026-02-26 02:25:46 +00:00
Owner
Copy Link

Summary

  • CsrfGuard (global APP_GUARD) runs before per-controller AuthGuard, so request.user is always undefined during CSRF validation
  • This causes CSRF
## Summary - CsrfGuard (global APP_GUARD) runs before per-controller AuthGuard, so request.user is always undefined during CSRF validation - This causes CSRF
jason.woltje added 1 commit 2026-02-26 02:25:46 +00:00
fix(api): resolve CSRF guard ordering with global AuthGuard
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details
ae9ac808c1 
CsrfGuard (APP_GUARD) runs before per-controller AuthGuard, so
request.user is always undefined when CSRF validates session binding.
Skip HMAC session-binding check when user context is unavailable;
the double-submit cookie pattern (cookie matches header) provides
sufficient CSRF protection on its own.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jason.woltje merged commit 9f4de1682f into main 2026-02-26 02:26:03 +00:00
jason.woltje deleted branch fix/csrf-guard-ordering 2026-02-26 02:26:03 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
ai
AI/LLM integration
 api
Backend/API work
 api
auth
Authentication
 database
database
Database/schema work
 devops
Docker/deployment
 docs
Documentation
 frontend
graph
knowledge-module
migration
Data migration
 orchestrator
Orchestrator service (apps/orchestrator/)
 p0
Critical priority
 p1
High priority
 p2
Medium priority
 p3
Low priority
 performance
Performance work
 phase-1
phase-2
phase-3
phase-4
phase-5
plugin
MoltBot plugin work
 search
security
Security-related
 setup
Initial setup
 testing
Testing/QA
 web
Frontend work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaic/stack#514
Delete Branch "fix/csrf-guard-ordering"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?