yusing 213e4a5cdb feat(auth): add CSRF protection middleware ...

Implement Signed Double Submit Cookie pattern to prevent CSRF attacks.
Adds CSRF token generation, validation, and middleware for API endpoints.
Safe methods (GET/HEAD/OPTIONS) automatically receive CSRF cookies, while
unsafe methods require X-CSRF-Token header matching the cookie value with
valid HMAC signature. Includes same-origin exemption for login/callback
endpoints to support browser-based authentication flows.

2026-03-19 14:55:47 +08:00

2.6 KiB

Raw Blame History

View Raw