LOADING…
0%
Complete changelog

Commit

Validate JWT header algorithm; remove dead CSRF middleware

Commit details

Commit notes

- Reject JWTs whose header claims any algorithm other than HS256 (verification was already HMAC-pinned; this removes the confusion vector entirely). - Remove the CSRF middleware: its enforcement hook was encapsulated in the plugin (Elysia local scope) and never executed for any route in any environment — verified empirically. More fundamentally, the API carries no ambient credentials (Bearer-token auth, refresh tokens in request bodies, no auth cookies), so double-submit CSRF protects nothing here. The frontend never fetched or sent tokens either. Documented in index.ts so cookie-auth work knows to reintroduce it.

[private session redacted]

Files changed
3
Lines added
+20
Lines removed
−203
This page is a permanent record of commit 84b46961.