summaryrefslogtreecommitdiff
path: root/internal/auth/middleware.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/auth/middleware.go')
-rw-r--r--internal/auth/middleware.go9
1 files changed, 8 insertions, 1 deletions
diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go
index ecdde82..78f3b53 100644
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@@ -6,6 +6,7 @@ import (
"crypto/subtle"
"encoding/base64"
"net/http"
+ "strings"
"github.com/alexedwards/scs/v2"
)
@@ -63,6 +64,12 @@ func (m *Middleware) ClearSession(r *http.Request) error {
// CSRFProtect checks for a valid CSRF token on state-changing requests
func (m *Middleware) CSRFProtect(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ // Skip CSRF for agent API endpoints (they use token-based auth, not cookies)
+ if strings.HasPrefix(r.URL.Path, "/agent/") {
+ next.ServeHTTP(w, r)
+ return
+ }
+
// Ensure a token exists in the session
if !m.sessions.Exists(r.Context(), SessionKeyCSRF) {
token, err := generateToken()
@@ -78,7 +85,7 @@ func (m *Middleware) CSRFProtect(next http.Handler) http.Handler {
// Check token for state-changing methods
if r.Method == "POST" || r.Method == "PUT" || r.Method == "DELETE" || r.Method == "PATCH" {
requestToken := r.Header.Get("X-CSRF-Token")
-
+
if requestToken == "" {
requestToken = r.FormValue("csrf_token")
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-28 06:59:15 +0000