mirror of
https://github.com/zvx-echo6/central.git
synced 2026-05-22 10:34:43 +02:00
c317c9ab01
Fixes CSRF race condition where every GET rotated the CSRF token, causing POST failures when users had multiple tabs or slow connections. Changes: - Remove fastapi-csrf-protect dependency - Add session-bound CSRF tokens stored in config.sessions table - Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator) - Add csrf.py module for pre-auth token generation/validation - Update routes to use new CSRF token handling - Add migration 013 to add csrf_token column to sessions The session-bound approach ensures CSRF tokens remain stable for the duration of a session, eliminating the race condition. Note: Route tests (test_wizard.py, test_adapters.py, etc.) need refactoring to mock get_settings() instead of CsrfProtect dependency. Core auth/CSRF handler tests pass (74 tests). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
9 lines
352 B
SQL
9 lines
352 B
SQL
-- Add CSRF token column to sessions table
|
|
-- Session-bound CSRF tokens prevent race conditions from cookie rotation
|
|
|
|
ALTER TABLE config.sessions
|
|
ADD COLUMN csrf_token TEXT NOT NULL
|
|
DEFAULT encode(gen_random_bytes(32), 'hex');
|
|
|
|
-- Comment
|
|
COMMENT ON COLUMN config.sessions.csrf_token IS 'Session-bound CSRF token for synchronizer token pattern';
|