Rockachopa/Timmy-time-dashboard
1
0
Fork 2
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

[loop-cycle-2] fix: resolve endpoint before execution in CSRF middleware (#626) #656

Merged
Timmy merged 1 commits from fix/csrf-exempt-check-before-dispatch into main 2026-03-20 23:05:10 +00:00
Conversation 0 Commits 1 Files Changed 2 +85 -8
Timmy commented 2026-03-20 23:04:54 +00:00
Owner
Copy Link

Summary

Fixes #626 — CSRF middleware was executing endpoints before checking @csrf_exempt.

Problem

When CSRF validation failed and the path was not in the exempt list, the middleware called call_next(request) which executed the endpoint (including all side effects like DB writes), then checked @csrf_exempt afterward. Non-exempt endpoints ran regardless of CSRF protection.

Fix

  • Added _resolve_endpoint() method that walks the FastAPI/Starlette middleware chain to find the matching route endpoint WITHOUT executing it
  • Check @csrf_exempt on the resolved endpoint BEFORE calling call_next()
  • If not exempt, return 403 immediately without ever executing the endpoint

Tests

  • Added regression test proving protected endpoints do NOT execute when CSRF fails
  • Added test confirming @csrf_exempt endpoints still execute normally
  • All 21 CSRF tests pass

Net lines

~+25 code, -5 removed = modest net add, but eliminates a security vulnerability

## Summary Fixes #626 — CSRF middleware was executing endpoints before checking `@csrf_exempt`. ## Problem When CSRF validation failed and the path was not in the exempt list, the middleware called `call_next(request)` which **executed the endpoint** (including all side effects like DB writes), then checked `@csrf_exempt` afterward. Non-exempt endpoints ran regardless of CSRF protection. ## Fix - Added `_resolve_endpoint()` method that walks the FastAPI/Starlette middleware chain to find the matching route endpoint WITHOUT executing it - Check `@csrf_exempt` on the resolved endpoint BEFORE calling `call_next()` - If not exempt, return 403 immediately without ever executing the endpoint ## Tests - Added regression test proving protected endpoints do NOT execute when CSRF fails - Added test confirming `@csrf_exempt` endpoints still execute normally - All 21 CSRF tests pass ## Net lines ~+25 code, -5 removed = modest net add, but eliminates a security vulnerability
Timmy added 1 commit 2026-03-20 23:04:54 +00:00
fix: resolve endpoint before execution in CSRF middleware (#626)
Some checks failed
Tests / lint (pull_request) Has been cancelled
Details
Tests / test (pull_request) Has been cancelled
Details
2a4f6228c7 
Previously, when CSRF validation failed and the path wasn't in the exempt
list, the middleware called call_next() to execute the endpoint BEFORE
checking the @csrf_exempt decorator. This caused side effects (DB writes,
API calls, etc.) to occur on protected endpoints even when CSRF validation
failed.

Now the middleware resolves the route endpoint by walking the FastAPI/
Starlette router WITHOUT executing it, checks @csrf_exempt, and only
then either allows the request through or returns 403.

- Add _resolve_endpoint() method to walk middleware chain and match routes
- Remove call_next() before @csrf_exempt check (5 lines deleted)
- Add regression test proving endpoints don't execute before CSRF check
- Add test confirming @csrf_exempt endpoints still execute normally
Timmy merged commit 9d0f5c778e into main 2026-03-20 23:05:10 +00:00
Timmy deleted branch fix/csrf-exempt-check-before-dispatch 2026-03-20 23:05:10 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
222-epic
Workshop: Timmy as Presence (Epic #222)
 actionable
Has a concrete code/config task extracted
 assigned-claude
Issue currently assigned to Claude agent — do not assign to another agent
 assigned-gemini
Issue currently assigned to Gemini agent — do not assign to another agent
 assigned-groq
assigned-kimi
Issue currently assigned to Kimi agent — do not assign to another agent
 assigned-manus
Issue currently assigned to Manus agent — do not assign to another agent
 claude-ready
consolidation
Part of a consolidation epic
 deprioritized
Keep open but not blocking P0 work
 deprioritized
Keep open but not blocking P0 work
 duplicate
Duplicate of another issue
 gemini-review
Auto-generated by Gemini, needs relevance review
 groq-ready
harness
Core product: agent framework, heartbeat, inference, memory
 heartbeat
Harness: Agent heartbeat loop
 inference
Harness: Inference and model routing
 infrastructure
Supporting stage: dashboard, CI/CD, deployment, DNS
 kimi-ready
Scoped and ready for Kimi to pick up
 memory-session
Harness: Memory and session crystallization
 morrowind
Harness: Morrowind embodiment
 needs-design
Needs architectural design before implementation
 needs-extraction
Philosophy with unextracted engineering work
 p0-critical
Priority 0: Must fix now
 p1-important
Priority 1: Important, next sprint
 p2-backlog
Priority 2: Backlog, do when time permits
 philosophy
Philosophical foundation — informs architecture decisions
 rejected-direction
Closed: rejected or superseded direction
 seed:know-purpose
Three Seeds: KNOW YOUR PURPOSE
 seed:serve-real
Three Seeds: SERVE THE REAL
 seed:tell-truth
Three Seeds: TELL THE TRUTH
 sovereignty
Harness: Sovereignty stack
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Timmy claude grok groq kimi manus perplexity Rockachopa
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#656
Delete Branch "fix/csrf-exempt-check-before-dispatch"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?