catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-03-03 15:43:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Refactor API calls to use csrfFetch for enhanced security across multiple views, including loop-monitor, mcp-manager, memory, prompt-history, rules-manager, session-detail, and skills-manager. Additionally, add Phase 1 and Phase 2 documentation for session initialization and orchestration loop in the ccw-loop-b skill.

Browse Source
This commit is contained in:
catlog22
2026-02-07 10:54:12 +08:00
parent f7dfbc0512
commit 92b0d175a7
49 changed files with 2003 additions and 480 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
ccw/src/core/auth/csrf-middleware.ts
View File

@@ -132,23 +132,40 @@ export async function csrfValidation(ctx: CsrfMiddlewareContext): Promise<boolea
const headerToken = getHeaderValue(req.headers['x-csrf-token']);
const cookies = parseCookieHeader(getHeaderValue(req.headers.cookie));
const cookieToken = cookies['XSRF-TOKEN'];
let bodyToken: string | null = null;
if (!headerToken && !cookieToken) {
const body = await readJsonBody(req);
bodyToken = extractCsrfTokenFromBody(body);
}
const token = headerToken || bodyToken || cookieToken || null;
const sessionId = cookies.ccw_session_id;
if (!token || !sessionId) {
if (!sessionId) {
writeJson(res, 403, { error: 'CSRF validation failed' });
return false;
}
const tokenManager = getCsrfTokenManager();
const ok = tokenManager.validateToken(token, sessionId);
const validate = (token: string | null): boolean => {
if (!token) return false;
return tokenManager.validateToken(token, sessionId);
};
let ok = false;
if (headerToken) {
ok = validate(headerToken);
if (!ok && cookieToken && cookieToken !== headerToken) {
ok = validate(cookieToken);
}
} else if (cookieToken) {
ok = validate(cookieToken);
}
if (!ok) {
let bodyToken: string | null = null;
if (!cookieToken) {
const body = await readJsonBody(req);
bodyToken = extractCsrfTokenFromBody(body);
}
ok = validate(bodyToken);
}
if (!ok) {
writeJson(res, 403, { error: 'CSRF validation failed' });
return false;