fix(api): remove CSRF middleware that breaks POST/PUT/PATCH/DELETE

The CSRF middleware requires x-csrf-token header but the frontend never sends it, which would break all mutating operations with 403 errors. CSRF protection should be implemented in a separate coordinated PR with frontend changes. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 05:47:29 +00:00
parent b903d1e506
commit 2573d067e4
2 changed files with 0 additions and 20 deletions
@@ -25,7 +25,6 @@ import { setupRouter } from "./routes/setup.js";
 import { getDb, businessSettings, eq, staff } from "@groombook/db";
 import { authMiddleware } from "./middleware/auth.js";
 import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
-import { csrfMiddleware } from "./middleware/csrf.js";
 import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
@@ -106,7 +105,6 @@ app.get("/api/auth/providers", async (c) => {
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
-api.use("*", csrfMiddleware);

 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
@@ -1,18 +0,0 @@
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "./rbac.js";
-
-const CSRF_SAFE_METHODS = ["GET", "HEAD", "OPTIONS"];
-
-export const csrfMiddleware: MiddlewareHandler<AppEnv> = async (c, next) => {
-  if (CSRF_SAFE_METHODS.includes(c.req.method)) {
-    await next();
-    return;
-  }
-
-  const csrfHeader = c.req.header("x-csrf-token");
-  if (!csrfHeader) {
-    return c.json({ error: "CSRF token required" }, 403);
-  }
-
-  await next();
-};