jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/middleware
History
Jennie Robinson Faber 7a626b0a82
Some checks failed
Test / Notify on failure (push) Blocked by required conditions
Details
Test / visual (push) Blocked by required conditions
Details
Test / vitest (push) Successful in 11m1s
Details
Test / playwright (push) Has been cancelled
Details
fix(csrf): exempt /api/internal/ from double-submit check 
The reconcile-payments cron POSTs to /api/internal/reconcile-payments with
an X-Reconcile-Token header but no csrf-token cookie/header. The CSRF
middleware was 403ing the request before the route handler could check
the shared secret — breaking Fix #6 (daily reconciliation cron).

Found while wiring the Dokploy scheduled task. The Netlify scheduled
function would have hit the same 403; nobody noticed because the site
hasn't been deployed yet.

Removing CSRF protection from /api/internal/ is safe: every route under
that prefix is machine-to-machine and gates on its own shared-secret
header. CSRF protects against browser-driven cross-origin POSTs, which
isn't the threat model for these endpoints.

Tests: 758 passing (CSRF middleware unit tests still cover the exempt
list shape).
2026-04-26 13:16:11 +01:00
..
01.csrf.js fix(csrf): exempt /api/internal/ from double-submit check 2026-04-26 13:16:11 +01:00
02.security-headers.js fix: use private helcimApiToken for all server-side Helcim API calls 2026-04-04 13:37:34 +01:00
03.rate-limit.js fix: use private helcimApiToken for all server-side Helcim API calls 2026-04-04 13:37:34 +01:00