From b903d1e5064dbadc540f94cf9a5bf49e19151ee2 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.ai>
Date: Wed, 15 Apr 2026 05:14:28 +0000
Subject: [PATCH] fix(api): wire up CSRF middleware for protected routes

Register csrfMiddleware in the protected API routes after authMiddleware
and resolveStaffMiddleware to protect against CSRF attacks on state-
changing operations (POST, PUT, PATCH, DELETE).

Addresses CTO review feedback on PR #278.
---
 apps/api/src/index.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 9e56c42..50ad085 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -25,6 +25,7 @@ import { setupRouter } from "./routes/setup.js";
 import { getDb, businessSettings, eq, staff } from "@groombook/db";
 import { authMiddleware } from "./middleware/auth.js";
 import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
+import { csrfMiddleware } from "./middleware/csrf.js";
 import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
@@ -105,6 +106,7 @@ app.get("/api/auth/providers", async (c) => {
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
+api.use("*", csrfMiddleware);
 
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths