groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): wire up CSRF middleware for protected routes

Browse Source 
Register csrfMiddleware in the protected API routes after authMiddleware
and resolveStaffMiddleware to protect against CSRF attacks on state-
changing operations (POST, PUT, PATCH, DELETE).

Addresses CTO review feedback on PR #278.
This commit is contained in:
Flea Flicker
2026-04-15 05:14:28 +00:00
committed by groombook-cto[bot]
parent 8f06f32e7d
commit b903d1e506
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/index.ts
+2
View File
@@ -25,6 +25,7 @@ import { setupRouter } from "./routes/setup.js";
import { getDb, businessSettings, eq, staff } from "@groombook/db"; import { getDb, businessSettings, eq, staff } from "@groombook/db";
import { authMiddleware } from "./middleware/auth.js"; import { authMiddleware } from "./middleware/auth.js";
import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js"; import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
import { csrfMiddleware } from "./middleware/csrf.js";
import { devRouter } from "./routes/dev.js"; import { devRouter } from "./routes/dev.js";
import { adminSeedRouter } from "./routes/admin/seed.js"; import { adminSeedRouter } from "./routes/admin/seed.js";
import { startReminderScheduler } from "./services/reminders.js"; import { startReminderScheduler } from "./services/reminders.js";
@@ -105,6 +106,7 @@ app.get("/api/auth/providers", async (c) => {
const api = app.basePath("/api"); const api = app.basePath("/api");
api.use("*", authMiddleware); api.use("*", authMiddleware);
api.use("*", resolveStaffMiddleware); api.use("*", resolveStaffMiddleware);
api.use("*", csrfMiddleware);
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths