yusing be0017dd63 feat(auth): add CSRF protection middleware ...

Implement Signed Double Submit Cookie pattern to prevent CSRF attacks.
Adds CSRF token generation, validation, and middleware for API endpoints.
Safe methods (GET/HEAD/OPTIONS) automatically receive CSRF cookies, while
unsafe methods require X-CSRF-Token header matching the cookie value with
valid HMAC signature. Includes same-origin exemption for login/callback
endpoints to support browser-based authentication flows.

2026-03-21 10:37:15 +08:00

6.6 KiB

Raw Blame History

View Raw