matt/central
1
0
Fork 0
mirror of https://github.com/zvx-echo6/central.git synced 2026-05-22 02:24:38 +02:00
Code Issues Projects Releases Packages Wiki Activity
central/sql
History
Matt Johnson c317c9ab01 fix(csrf): replace fastapi-csrf-protect with session-bound CSRF 
Fixes CSRF race condition where every GET rotated the CSRF token,
causing POST failures when users had multiple tabs or slow connections.

Changes:
- Remove fastapi-csrf-protect dependency
- Add session-bound CSRF tokens stored in config.sessions table
- Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator)
- Add csrf.py module for pre-auth token generation/validation
- Update routes to use new CSRF token handling
- Add migration 013 to add csrf_token column to sessions

The session-bound approach ensures CSRF tokens remain stable for the
duration of a session, eliminating the race condition.

Note: Route tests (test_wizard.py, test_adapters.py, etc.) need
refactoring to mock get_settings() instead of CsrfProtect dependency.
Core auth/CSRF handler tests pass (74 tests).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-18 03:16:37 +00:00
..
migrations fix(csrf): replace fastapi-csrf-protect with session-bound CSRF 2026-05-18 03:16:37 +00:00
.gitkeep scaffold: initial repository structure 2026-05-15 19:16:24 +00:00