marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: apply CSRF protection only to state-changing HTTP methods

Browse source 
The lusca CSRF middleware was being applied to all requests including
safe methods like GET, causing "CSRF token missing" errors for endpoints
like /api/registration-status.

CSRF protection should only apply to state-changing methods (POST, PUT,
PATCH, DELETE), not to safe methods (GET, HEAD, OPTIONS) which cannot
modify server state.

This fix adds a check to bypass CSRF validation for safe HTTP methods
while maintaining protection for all state-changing operations.
This commit is contained in:
Chris Veleris 2026-04-13 12:30:16 +03:00
parent 3f3e50f23e
commit 94da7a4de9
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
backend/app.js
View file

@ -108,8 +108,10 @@ app.use((req, res, next) => {
});
// Apply lusca CSRF - wrapped to check exemption flag
// Only apply to state-changing methods (POST, PUT, PATCH, DELETE)
app.use((req, res, next) => {
if (req._csrfExempt) {
const statefulMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
if (req._csrfExempt || !statefulMethods.includes(req.method)) {
return next();
}
return lusca.csrf({