From 94da7a4de95bbcdcded27d0d1ee15094655ae094 Mon Sep 17 00:00:00 2001
From: Chris Veleris <chrisveleris@gmail.com>
Date: Mon, 13 Apr 2026 12:30:16 +0300
Subject: [PATCH] fix: apply CSRF protection only to state-changing HTTP
 methods

The lusca CSRF middleware was being applied to all requests including
safe methods like GET, causing "CSRF token missing" errors for endpoints
like /api/registration-status.

CSRF protection should only apply to state-changing methods (POST, PUT,
PATCH, DELETE), not to safe methods (GET, HEAD, OPTIONS) which cannot
modify server state.

This fix adds a check to bypass CSRF validation for safe HTTP methods
while maintaining protection for all state-changing operations.
---
 backend/app.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/app.js b/backend/app.js
index 81a4362..7ade690 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -108,8 +108,10 @@ app.use((req, res, next) => {
 });
 
 // Apply lusca CSRF - wrapped to check exemption flag
+// Only apply to state-changing methods (POST, PUT, PATCH, DELETE)
 app.use((req, res, next) => {
-    if (req._csrfExempt) {
+    const statefulMethods = ['POST', 'PUT', 'PATCH', 'DELETE'];
+    if (req._csrfExempt || !statefulMethods.includes(req.method)) {
         return next();
     }
     return lusca.csrf({