marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/backend/middleware
History
Chris Veleris a89f2b72d9 fix: exempt public unauthenticated endpoints from CSRF protection 
The lusca CSRF implementation was breaking login and registration because
the frontend doesn't fetch or send CSRF tokens. This is a structural issue
that requires frontend implementation.

As a pragmatic fix, this commit exempts public unauthenticated endpoints
from CSRF protection:
- /api/login, /api/register, /api/verify-email
- /api/version, /api/registration-status, /api/health
- /api/oidc/* (all OIDC authentication endpoints)
- /api/feature-flags

Authenticated endpoints still require CSRF tokens via lusca.

Also updates csrf.js to use lusca's token generation mechanism, making
it compatible with the global lusca CSRF middleware.

TODO: Implement proper CSRF token handling in the frontend for enhanced
security on public endpoints.
2026-04-13 13:05:33 +03:00
..
auth.js Fix bug 366 (#764) 2026-01-07 18:18:07 +02:00
authorize.js chore(lint): remove unnecessary try/catch and tighten error handling 2025-09-22 15:20:46 +03:00
csrf.js fix: exempt public unauthenticated endpoints from CSRF protection 2026-04-13 13:05:33 +03:00
permissionCache.js Feat refactor tasks pt1 (#536) 2025-11-15 14:02:06 +02:00
queryLogger.js Feat refactor tasks pt1 (#536) 2025-11-15 14:02:06 +02:00
rateLimiter.js Fix api issues (#499) 2025-11-07 20:33:31 +02:00