fix: WebSocket 403 spam and missing /swarm endpoints

- CSRF middleware now skips WebSocket upgrade requests (they don't carry tokens) - Added /swarm/live WebSocket endpoint wired to ws_manager singleton - Added /swarm/agents/sidebar HTMX partial (was 404 on every dashboard poll) Stops hundreds of 403 Forbidden + 404 log lines per minute.
2026-03-14 16:29:35 -04:00
parent b30b5c6b57
commit f0b0e2f202
2 changed files with 40 additions and 0 deletions
--- a/src/dashboard/middleware/csrf.py
+++ b/src/dashboard/middleware/csrf.py
@@ -134,6 +134,10 @@ class CSRFMiddleware(BaseHTTPMiddleware):
        if settings.timmy_disable_csrf:
            return await call_next(request)

+        # WebSocket upgrades don't carry CSRF tokens — skip them entirely
+        if request.headers.get("upgrade", "").lower() == "websocket":
+            return await call_next(request)
+
        # Get existing CSRF token from cookie
        csrf_cookie = request.cookies.get(self.cookie_name)