Jennie Robinson Faber 7a626b0a82 fix(csrf): exempt /api/internal/ from double-submit check ... The reconcile-payments cron POSTs to /api/internal/reconcile-payments with an X-Reconcile-Token header but no csrf-token cookie/header. The CSRF middleware was 403ing the request before the route handler could check the shared secret — breaking Fix #6 (daily reconciliation cron). Found while wiring the Dokploy scheduled task. The Netlify scheduled function would have hit the same 403; nobody noticed because the site hasn't been deployed yet. Removing CSRF protection from /api/internal/ is safe: every route under that prefix is machine-to-machine and gates on its own shared-secret header. CSRF protects against browser-driven cross-origin POSTs, which isn't the threat model for these endpoints. Tests: 758 passing (CSRF middleware unit tests still cover the exempt list shape).		2026-04-26 13:16:11 +01:00
..
api	refactor(launch): collapse helcim-pay duplication and use setAuthCookie helper	2026-04-25 22:13:24 +01:00
config	feat(contributions): rewrite server config as preset-based helpers	2026-04-19 18:12:44 +01:00
emails	feat(payments): add upsertPaymentFromHelcim helper with idempotent insert	2026-04-20 13:15:38 +01:00
middleware	fix(csrf): exempt /api/internal/ from double-submit check	2026-04-26 13:16:11 +01:00
migrations	refactor(community): rename Community Connections → Community Ecology	2026-04-09 09:07:15 +01:00
models	feat(launch): security and correctness fixes for 2026-05-01 launch	2026-04-25 18:42:36 +01:00
plugins	Member/Ecology revamp.	2026-04-14 09:25:09 +01:00
routes	feat(emails): warmer copy across invite, welcome, and event emails	2026-04-20 13:48:38 +01:00
utils	refactor(launch): simplify launch-readiness fixes	2026-04-25 19:34:16 +01:00