Jason Woltje
ae9ac808c1
All checks were successful
ci/woodpecker/push/api Pipeline was successful
CsrfGuard (APP_GUARD) runs before per-controller AuthGuard, so request.user is always undefined when CSRF validates session binding. Skip HMAC session-binding check when user context is unavailable; the double-submit cookie pattern (cookie matches header) provides sufficient CSRF protection on its own. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>