fix(csrf): prevent undefined token when session at max capacity

Root cause: generateToken() returned undefined when session already had maxTokensPerSession (5) tokens, causing ERR_HTTP_INVALID_HEADER_VALUE. Fix: Force generate token even when at capacity, ensuring we always return a valid token string. Related: v7.1.1 CLI process hang fix
2026-03-02 15:23:19 +08:00 · 2026-03-02 09:58:54 +08:00
parent 0939510e0d
commit d0ac3a5cd2
1 changed files with 20 additions and 0 deletions
--- a/ccw/src/core/auth/csrf-manager.ts
+++ b/ccw/src/core/auth/csrf-manager.ts
@@ -56,6 +56,26 @@ export class CsrfTokenManager {
   */
  generateToken(sessionId: string): string {
    const tokens = this.generateTokens(sessionId, 1);
+    // If no slots available (session at max capacity), force generate anyway
+    // This ensures we always return a valid token
+    if (tokens.length === 0) {
+      const token = randomBytes(32).toString('hex');
+      const expiresAtMs = Date.now() + this.tokenTtlMs;
+      const record: CsrfTokenRecord = {
+        sessionId,
+        expiresAtMs,
+        used: false,
+      };
+      // Get or create session map
+      let sessionMap = this.sessionTokens.get(sessionId);
+      if (!sessionMap) {
+        sessionMap = new Map();
+        this.sessionTokens.set(sessionId, sessionMap);
+      }
+      sessionMap.set(token, record);
+      this.tokenToSession.set(token, sessionId);
+      return token;
+    }
    return tokens[0];
  }