marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tududi/backend
History
Chris Veleris a89f2b72d9 fix: exempt public unauthenticated endpoints from CSRF protection 
The lusca CSRF implementation was breaking login and registration because
the frontend doesn't fetch or send CSRF tokens. This is a structural issue
that requires frontend implementation.

As a pragmatic fix, this commit exempts public unauthenticated endpoints
from CSRF protection:
- /api/login, /api/register, /api/verify-email
- /api/version, /api/registration-status, /api/health
- /api/oidc/* (all OIDC authentication endpoints)
- /api/feature-flags

Authenticated endpoints still require CSRF tokens via lusca.

Also updates csrf.js to use lusca's token generation mechanism, making
it compatible with the global lusca CSRF middleware.

TODO: Implement proper CSRF token handling in the frontend for enhanced
security on public endpoints.
2026-04-13 13:05:33 +03:00
..
cmd Fix isEmail validation failure on valid emails during Docker setup (#835) 2026-02-11 15:42:11 +02:00
config Setup infra for reverse proxy (#831) 2026-02-10 20:22:51 +02:00
docs/swagger Update swagger (#906) 2026-03-04 18:47:48 +02:00
middleware fix: exempt public unauthenticated endpoints from CSRF protection 2026-04-13 13:05:33 +03:00
migrations feat: Add OIDC/SSO authentication support (#1008) 2026-04-13 12:17:35 +03:00
models feat: Add OIDC/SSO authentication support (#1008) 2026-04-13 12:17:35 +03:00
modules feat: Add OIDC/SSO authentication support (#1008) 2026-04-13 12:17:35 +03:00
scripts Fix bug 366 (#764) 2026-01-07 18:18:07 +02:00
seeders Fix bug 366 (#764) 2026-01-07 18:18:07 +02:00
services Fix bug 366 (#764) 2026-01-07 18:18:07 +02:00
shared Fix bug 366 (#764) 2026-01-07 18:18:07 +02:00
tests feat: Add OIDC/SSO authentication support (#1008) 2026-04-13 12:17:35 +03:00
utils feat: Add OIDC/SSO authentication support (#1008) 2026-04-13 12:17:35 +03:00
.env.example feat: Add MCP Integration with client-agnostic instructions (#953) 2026-03-20 16:55:49 +02:00
.env.test Feat: habits (#707) 2025-12-13 08:47:52 +02:00
.prettierignore Add 'dist' paths to git & prettier ignore. 2025-07-22 11:45:14 +03:00
.prettierrc.json Linting cleanup (#99) 2025-07-01 11:40:09 +03:00
.sequelizerc Express migration (#80) 2025-06-16 21:50:44 +03:00
app.js fix: exempt public unauthenticated endpoints from CSRF protection 2026-04-13 13:05:33 +03:00
database.sqlite Fix bug 619 (#629) 2025-12-02 18:00:36 +02:00
eslint.config.js Sorting fixes (#174) 2025-07-17 17:43:56 +03:00
jest.config.js Fix E2E test breakage (#380) 2025-10-05 16:04:46 +03:00