mirror of
https://github.com/zvx-echo6/central.git
synced 2026-05-22 02:24:38 +02:00
fix(csrf): replace fastapi-csrf-protect with session-bound CSRF
Fixes CSRF race condition where every GET rotated the CSRF token, causing POST failures when users had multiple tabs or slow connections. Changes: - Remove fastapi-csrf-protect dependency - Add session-bound CSRF tokens stored in config.sessions table - Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator) - Add csrf.py module for pre-auth token generation/validation - Update routes to use new CSRF token handling - Add migration 013 to add csrf_token column to sessions The session-bound approach ensures CSRF tokens remain stable for the duration of a session, eliminating the race condition. Note: Route tests (test_wizard.py, test_adapters.py, etc.) need refactoring to mock get_settings() instead of CsrfProtect dependency. Core auth/CSRF handler tests pass (74 tests). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Matt Johnson
parent
84044a4d45
commit
c317c9ab01
11 changed files with 410 additions and 208 deletions
|
|
@ -16,7 +16,6 @@ dependencies = [
|
|||
"asyncpg>=0.31.0",
|
||||
"cloudevents>=2.0.0",
|
||||
"cryptography>=44.0.0",
|
||||
"fastapi-csrf-protect>=0.4.0",
|
||||
"fastapi>=0.115.0",
|
||||
"jinja2>=3.1.6",
|
||||
"nats-py>=2.14.0",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue