mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
fe8712217954ae3850dd36c533c33a6e320113ca
stack/workers/csrf-fix-prompt.txt

30 lines
2.0 KiB
Plaintext
Raw Blame History

Fix the CsrfGuard in ~/src/mosaic-stack to skip CSRF validation when the request is authenticated via Bearer token (Authorization header).
## Background
CSRF attacks exploit cookie-based authentication — a malicious site tricks the browser into sending authenticated cookies. When a client uses `Authorization: Bearer <token>`, CSRF is not a valid attack vector because malicious sites cannot set or read Authorization headers. The CSRF guard should not fire for Bearer-authenticated API clients.
## File to Change
apps/api/src/common/guards/csrf.guard.ts
## What to Do
1. git checkout main && git pull --ff-only origin main
2. Create branch: fix/csrf-bearer-bypass
3. Read csrf.guard.ts carefully
4. Update `canActivate` to skip CSRF check when the request has an `Authorization: Bearer` header
- Extract the Authorization header
- If it starts with "Bearer ", return true (skip CSRF — Bearer auth is not CSRF-vulnerable)
- Otherwise, proceed with existing CSRF token validation as-is
5. Do NOT change any other logic — surgical change only
6. Read auth.guard.ts to confirm you are using the same header extraction pattern for consistency
## Completion Requirements (MANDATORY)
1. Run quality gates: pnpm turbo lint typecheck --filter=@mosaic/api
2. Run tests: pnpm --filter @mosaic/api test -- --run
3. Review the change: confirm existing CSRF tests still pass, confirm Bearer bypass is correct
4. Commit: "fix(api): skip CSRF for Bearer-authenticated requests"
5. Push branch
6. Create PR: ~/.config/mosaic/tools/git/pr-create.sh -t "fix(api): skip CSRF for Bearer-authenticated API clients" -b "CSRF protection is only relevant for cookie-based sessions. Requests using Authorization: Bearer are not CSRF-vulnerable — malicious sites cannot inject Authorization headers. This change skips CSRF validation when a Bearer token is present, enabling programmatic API access from agents and service accounts."
When completely finished, run:
openclaw system event --text "Done: CSRF Bearer bypass PR ready for review" --mode now
Reference in New Issue View Git Blame Copy Permalink