From fa567114d68add1e6d0adec0e1ef25de5933543b Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 1 Mar 2026 15:12:54 -0600
Subject: [PATCH] fix(api): remove noisy CSRF debug log for expected guard
 ordering

---
 apps/api/src/common/guards/csrf.guard.ts | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/common/guards/csrf.guard.ts b/apps/api/src/common/guards/csrf.guard.ts
index 82e0156..a47741f 100644
--- a/apps/api/src/common/guards/csrf.guard.ts
+++ b/apps/api/src/common/guards/csrf.guard.ts
@@ -111,14 +111,9 @@ export class CsrfGuard implements CanActivate {
 
         throw new ForbiddenException("CSRF token not bound to session");
       }
-    } else {
-      this.logger.debug({
-        event: "CSRF_SKIP_SESSION_BINDING",
-        method: request.method,
-        path: request.path,
-        reason: "User context not yet available (global guard runs before AuthGuard)",
-      });
     }
+    // Note: when userId is absent, the double-submit cookie check above is
+    // sufficient CSRF protection. AuthGuard populates request.user afterward.
 
     return true;
   }
-- 
2.49.1