Commit
Validate JWT header algorithm; remove dead CSRF middleware
Commit details
Commit notes
- Reject JWTs whose header claims any algorithm other than HS256 (verification was already HMAC-pinned; this removes the confusion vector entirely). - Remove the CSRF middleware: its enforcement hook was encapsulated in the plugin (Elysia local scope) and never executed for any route in any environment — verified empirically. More fundamentally, the API carries no ambient credentials (Bearer-token auth, refresh tokens in request bodies, no auth cookies), so double-submit CSRF protects nothing here. The frontend never fetched or sent tokens either. Documented in index.ts so cookie-auth work knows to reintroduce it.
[private session redacted]
- Files changed
- 3
- Lines added
- +20
- Lines removed
- −203