Rockachopa/Timmy-time-dashboard
1
0
Fork 2
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

[loop-generated] [bug] CSRF middleware docstring shows hardcoded secret placeholder #485

New Issue
Closed
opened 2026-03-19 19:47:52 +00:00 by Timmy · 0 comments
Timmy commented 2026-03-19 19:47:52 +00:00
Owner
Copy Link

Problem

Line 103 of src/dashboard/middleware/csrf.py shows secret="***" in the docstring usage example. While this is just a docstring, it sets a bad example. The actual init correctly accepts the secret parameter.

More importantly, the CSRF middleware secret parameter (line 117-123) is stored but never actually used for token signing - tokens are just random values compared via cookie. This means the secret serves no cryptographic purpose.

Acceptance Criteria

  • Either implement HMAC-signed CSRF tokens using the secret, or remove the unused secret parameter
  • Update docstring to show proper usage
  • All tests pass

Files

  • src/dashboard/middleware/csrf.py
  • tests/ (CSRF-related tests)
## Problem Line 103 of src/dashboard/middleware/csrf.py shows `secret="***"` in the docstring usage example. While this is just a docstring, it sets a bad example. The actual init correctly accepts the secret parameter. More importantly, the CSRF middleware `secret` parameter (line 117-123) is stored but never actually used for token signing - tokens are just random values compared via cookie. This means the secret serves no cryptographic purpose. ## Acceptance Criteria - Either implement HMAC-signed CSRF tokens using the secret, or remove the unused secret parameter - Update docstring to show proper usage - All tests pass ## Files - src/dashboard/middleware/csrf.py - tests/ (CSRF-related tests)
Timmy closed this issue 2026-03-19 19:52:31 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
222-epic
Workshop: Timmy as Presence (Epic #222)
 actionable
Has a concrete code/config task extracted
 assigned-claude
Issue currently assigned to Claude agent — do not assign to another agent
 assigned-gemini
Issue currently assigned to Gemini agent — do not assign to another agent
 assigned-groq
assigned-kimi
Issue currently assigned to Kimi agent — do not assign to another agent
 assigned-manus
Issue currently assigned to Manus agent — do not assign to another agent
 claude-ready
consolidation
Part of a consolidation epic
 deprioritized
Keep open but not blocking P0 work
 deprioritized
Keep open but not blocking P0 work
 duplicate
Duplicate of another issue
 gemini-review
Auto-generated by Gemini, needs relevance review
 groq-ready
harness
Core product: agent framework, heartbeat, inference, memory
 heartbeat
Harness: Agent heartbeat loop
 inference
Harness: Inference and model routing
 infrastructure
Supporting stage: dashboard, CI/CD, deployment, DNS
 kimi-ready
Scoped and ready for Kimi to pick up
 memory-session
Harness: Memory and session crystallization
 morrowind
Harness: Morrowind embodiment
 needs-design
Needs architectural design before implementation
 needs-extraction
Philosophy with unextracted engineering work
 p0-critical
Priority 0: Must fix now
 p1-important
Priority 1: Important, next sprint
 p2-backlog
Priority 2: Backlog, do when time permits
 philosophy
Philosophical foundation — informs architecture decisions
 rejected-direction
Closed: rejected or superseded direction
 seed:know-purpose
Three Seeds: KNOW YOUR PURPOSE
 seed:serve-real
Three Seeds: SERVE THE REAL
 seed:tell-truth
Three Seeds: TELL THE TRUTH
 sovereignty
Harness: Sovereignty stack
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Timmy claude grok groq kimi manus perplexity Rockachopa
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#485
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?