Jason Woltje 3a98b78661 fix: Complete CSRF protection implementation ...

Closes three CSRF security gaps identified in code review:

1. Added X-CSRF-Token and X-Workspace-Id to CORS allowed headers
   - Updated apps/api/src/main.ts to accept CSRF token headers

2. Integrated CSRF token handling in web client
   - Added fetchCsrfToken() to fetch token from API
   - Store token in memory (not localStorage for security)
   - Automatically include X-CSRF-Token in POST/PUT/PATCH/DELETE
   - Implement automatic token refresh on 403 CSRF errors
   - Added comprehensive test coverage for CSRF functionality

3. Applied CSRF Guard globally
   - Added CsrfGuard as APP_GUARD in app.module.ts
   - Verified @SkipCsrf() decorator works for exempted endpoints

All tests passing. CSRF protection now enforced application-wide.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-04 07:12:42 -06:00

..

src

fix: Complete CSRF protection implementation

2026-02-04 07:12:42 -06:00

.dockerignore

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

Dockerfile

fix(#180): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

eslint.config.js

fix(#1): Address code review findings

2026-01-28 15:07:04 -06:00

next-env.d.ts

feat(#1): Set up monorepo scaffold with pnpm workspaces + TurboRepo

2026-01-28 13:31:33 -06:00

next.config.ts

feat(#1): Set up monorepo scaffold with pnpm workspaces + TurboRepo

2026-01-28 13:31:33 -06:00

package.json

fix(#M5-QA): address security findings from code review

2026-02-02 16:50:38 -06:00

tsconfig.json

fix: Resolve web package lint and typecheck errors

2026-01-30 21:34:12 -06:00

vitest.config.ts

test(CI): fix all test failures from lint changes

2026-01-31 01:01:21 -06:00

vitest.setup.ts

test(CI): fix all test failures from lint changes

2026-01-31 01:01:21 -06:00