From d0ac3a5cd2a8cc916139ca1dde3c0da11497c1c4 Mon Sep 17 00:00:00 2001
From: catlog22 <catlog22@github.com>
Date: Mon, 2 Mar 2026 09:58:54 +0800
Subject: [PATCH] fix(csrf): prevent undefined token when session at max
 capacity

Root cause: generateToken() returned undefined when session already
had maxTokensPerSession (5) tokens, causing ERR_HTTP_INVALID_HEADER_VALUE.

Fix: Force generate token even when at capacity, ensuring we always
return a valid token string.

Related: v7.1.1 CLI process hang fix
---
 ccw/src/core/auth/csrf-manager.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/ccw/src/core/auth/csrf-manager.ts b/ccw/src/core/auth/csrf-manager.ts
index 7acb7a8a..8923389c 100644
--- a/ccw/src/core/auth/csrf-manager.ts
+++ b/ccw/src/core/auth/csrf-manager.ts
@@ -56,6 +56,26 @@ export class CsrfTokenManager {
    */
   generateToken(sessionId: string): string {
     const tokens = this.generateTokens(sessionId, 1);
+    // If no slots available (session at max capacity), force generate anyway
+    // This ensures we always return a valid token
+    if (tokens.length === 0) {
+      const token = randomBytes(32).toString('hex');
+      const expiresAtMs = Date.now() + this.tokenTtlMs;
+      const record: CsrfTokenRecord = {
+        sessionId,
+        expiresAtMs,
+        used: false,
+      };
+      // Get or create session map
+      let sessionMap = this.sessionTokens.get(sessionId);
+      if (!sessionMap) {
+        sessionMap = new Map();
+        this.sessionTokens.set(sessionId, sessionMap);
+      }
+      sessionMap.set(token, record);
+      this.tokenToSession.set(token, sessionId);
+      return token;
+    }
     return tokens[0];
   }