mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(api): skip CSRF for Bearer-authenticated API clients #622

Merged
jason.woltje merged 1 commits from fix/csrf-bearer-bypass into main 2026-03-01 19:06:15 +00:00
Conversation 0 Commits 1 Files Changed 2 +16
jason.woltje commented 2026-03-01 19:01:37 +00:00
Owner
Copy Link

CSRF protection is only relevant for cookie-based sessions. Requests using Authorization: Bearer are not CSRF-vulnerable — malicious sites cannot inject Authorization headers. This change skips CSRF validation when a Bearer token is present, enabling programmatic API access from agents and service accounts.

CSRF protection is only relevant for cookie-based sessions. Requests using Authorization: Bearer are not CSRF-vulnerable — malicious sites cannot inject Authorization headers. This change skips CSRF validation when a Bearer token is present, enabling programmatic API access from agents and service accounts.
jason.woltje added 1 commit 2026-03-01 19:01:37 +00:00
fix(api): skip CSRF for Bearer-authenticated requests
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
97b14edbaa
jason.woltje merged commit 99a4567e32 into main 2026-03-01 19:06:15 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
ai
AI/LLM integration
 api
Backend/API work
 api
auth
Authentication
 database
database
Database/schema work
 devops
Docker/deployment
 docs
Documentation
 frontend
graph
knowledge-module
migration
Data migration
 orchestrator
Orchestrator service (apps/orchestrator/)
 p0
Critical priority
 p1
High priority
 p2
Medium priority
 p3
Low priority
 performance
Performance work
 phase-1
phase-2
phase-3
phase-4
phase-5
plugin
MoltBot plugin work
 search
security
Security-related
 setup
Initial setup
 testing
Testing/QA
 web
Frontend work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaic/stack#622
Delete Branch "fix/csrf-bearer-bypass"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?