fix(api): resolve CSRF guard ordering with global AuthGuard #514

Merged

jason.woltje merged 1 commits from fix/csrf-guard-ordering into main

2026-02-26 02:26:03 +00:00

Author	SHA1	Message	Date
Jason Woltje	ae9ac808c1	fix(api): resolve CSRF guard ordering with global AuthGuard All checks were successful ci/woodpecker/push/api Pipeline was successful Details CsrfGuard (APP_GUARD) runs before per-controller AuthGuard, so request.user is always undefined when CSRF validates session binding. Skip HMAC session-binding check when user context is unavailable; the double-submit cookie pattern (cookie matches header) provides sufficient CSRF protection on its own. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-25 20:22:41 -06:00

Author

SHA1

Message

Date

Jason Woltje

ae9ac808c1

fix(api): resolve CSRF guard ordering with global AuthGuard

ci/woodpecker/push/api Pipeline was successful

Details

CsrfGuard (APP_GUARD) runs before per-controller AuthGuard, so
request.user is always undefined when CSRF validates session binding.
Skip HMAC session-binding check when user context is unavailable;
the double-submit cookie pattern (cookie matches header) provides
sufficient CSRF protection on its own.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-25 20:22:41 -06:00

fix(api): resolve CSRF guard ordering with global AuthGuard #514

1 Commits