mirror of
https://github.com/zvx-echo6/central.git
synced 2026-05-22 02:24:38 +02:00
c317c9ab01
Fixes CSRF race condition where every GET rotated the CSRF token, causing POST failures when users had multiple tabs or slow connections. Changes: - Remove fastapi-csrf-protect dependency - Add session-bound CSRF tokens stored in config.sessions table - Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator) - Add csrf.py module for pre-auth token generation/validation - Update routes to use new CSRF token handling - Add migration 013 to add csrf_token column to sessions The session-bound approach ensures CSRF tokens remain stable for the duration of a session, eliminating the race condition. Note: Route tests (test_wizard.py, test_adapters.py, etc.) need refactoring to mock get_settings() instead of CsrfProtect dependency. Core auth/CSRF handler tests pass (74 tests). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| 001_create_config_schema.sql | ||
| 002_add_updated_at_trigger_and_index.sql | ||
| 003_add_streams_table.sql | ||
| 004_nws_states_to_bbox.sql | ||
| 005_add_firms_adapter.sql | ||
| 006_add_usgs_quake_adapter.sql | ||
| 007_add_config_system.sql | ||
| 008_add_operators.sql | ||
| 009_add_sessions.sql | ||
| 010_add_audit_log.sql | ||
| 011_events_add_adapter_column.sql | ||
| 013_add_session_csrf_token.sql | ||