matt/central
1
0
Fork 0
mirror of https://github.com/zvx-echo6/central.git synced 2026-05-22 18:44:40 +02:00
Code Issues Projects Releases Packages Wiki Activity
central/pyproject.toml
Matt Johnson c317c9ab01 fix(csrf): replace fastapi-csrf-protect with session-bound CSRF 
Fixes CSRF race condition where every GET rotated the CSRF token,
causing POST failures when users had multiple tabs or slow connections.

Changes:
- Remove fastapi-csrf-protect dependency
- Add session-bound CSRF tokens stored in config.sessions table
- Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator)
- Add csrf.py module for pre-auth token generation/validation
- Update routes to use new CSRF token handling
- Add migration 013 to add csrf_token column to sessions

The session-bound approach ensures CSRF tokens remain stable for the
duration of a session, eliminating the race condition.

Note: Route tests (test_wizard.py, test_adapters.py, etc.) need
refactoring to mock get_settings() instead of CsrfProtect dependency.
Core auth/CSRF handler tests pass (74 tests).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-18 03:16:37 +00:00

47 lines
1.1 KiB
TOML
Raw Blame History

[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
[project]
name = "central"
version = "0.1.0"
requires-python = ">=3.12,<3.13"
description = "Data hub spine — adapters, bus, archive."
readme = "README.md"
license = {text = "MIT"}
authors = [{name = "Matt Johnson"}]
dependencies = [
"aiohttp>=3.13.5",
"argon2-cffi>=25.1.0",
"asyncpg>=0.31.0",
"cloudevents>=2.0.0",
"cryptography>=44.0.0",
"fastapi>=0.115.0",
"jinja2>=3.1.6",
"nats-py>=2.14.0",
"pydantic>=2,<3",
"pydantic-settings>=2.7.0",
"python-multipart>=0.0.20",
"shapely>=2.0",
"tenacity>=9.1.4",
"uvicorn[standard]>=0.34.0",
]
[project.scripts]
central-supervisor = "central.supervisor:main"
central-archive = "central.archive:main"
central-migrate = "central.migrate:main"
central-cli = "central.cli:main"
central-gui = "central.gui:main"
[tool.hatch.build.targets.wheel]
packages = ["src/central"]
[dependency-groups]
dev = [
"httpx>=0.28.0",
"mypy>=2.1.0",
"pytest>=9.0.3",
"pytest-asyncio>=1.3.0",
"ruff>=0.15.13",
]
Reference in a new issue View git blame Copy permalink