fix(api): remove CSRF middleware that breaks POST/PUT/PATCH/DELETE
The CSRF middleware requires x-csrf-token header but the frontend never sends it, which would break all mutating operations with 403 errors. CSRF protection should be implemented in a separate coordinated PR with frontend changes. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
committed by
groombook-cto[bot]
groombook-cto[bot]
parent
b903d1e506
commit
2573d067e4
@@ -25,7 +25,6 @@ import { setupRouter } from "./routes/setup.js";
|
|||||||
import { getDb, businessSettings, eq, staff } from "@groombook/db";
|
import { getDb, businessSettings, eq, staff } from "@groombook/db";
|
||||||
import { authMiddleware } from "./middleware/auth.js";
|
import { authMiddleware } from "./middleware/auth.js";
|
||||||
import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
|
import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
|
||||||
import { csrfMiddleware } from "./middleware/csrf.js";
|
|
||||||
import { devRouter } from "./routes/dev.js";
|
import { devRouter } from "./routes/dev.js";
|
||||||
import { adminSeedRouter } from "./routes/admin/seed.js";
|
import { adminSeedRouter } from "./routes/admin/seed.js";
|
||||||
import { startReminderScheduler } from "./services/reminders.js";
|
import { startReminderScheduler } from "./services/reminders.js";
|
||||||
@@ -106,7 +105,6 @@ app.get("/api/auth/providers", async (c) => {
|
|||||||
const api = app.basePath("/api");
|
const api = app.basePath("/api");
|
||||||
api.use("*", authMiddleware);
|
api.use("*", authMiddleware);
|
||||||
api.use("*", resolveStaffMiddleware);
|
api.use("*", resolveStaffMiddleware);
|
||||||
api.use("*", csrfMiddleware);
|
|
||||||
|
|
||||||
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
|
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
|
||||||
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
|
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
|
||||||
|
|||||||
@@ -1,18 +0,0 @@
|
|||||||
import type { MiddlewareHandler } from "hono";
|
|
||||||
import type { AppEnv } from "./rbac.js";
|
|
||||||
|
|
||||||
const CSRF_SAFE_METHODS = ["GET", "HEAD", "OPTIONS"];
|
|
||||||
|
|
||||||
export const csrfMiddleware: MiddlewareHandler<AppEnv> = async (c, next) => {
|
|
||||||
if (CSRF_SAFE_METHODS.includes(c.req.method)) {
|
|
||||||
await next();
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
const csrfHeader = c.req.header("x-csrf-token");
|
|
||||||
if (!csrfHeader) {
|
|
||||||
return c.json({ error: "CSRF token required" }, 403);
|
|
||||||
}
|
|
||||||
|
|
||||||
await next();
|
|
||||||
};
|
|
||||||
Reference in New Issue
Block a user