You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 7, 2026. It is now read-only.
The CSRF exemption check uses pathname.startsWith("/api/auth/callback/"). Any path beginning with that prefix is exempt from CSRF origin validation for POST requests. If a future route is added under /api/auth/callback/something-sensitive, it automatically inherits the CSRF exemption without an explicit security decision.
Fix: Change to an exact set match on known OAuth callback paths (e.g. new Set(["/api/auth/callback/google", "/api/auth/callback/github"]).has(pathname)) rather than a prefix. Alternatively, add a code comment requiring an explicit security review when adding new routes under /api/auth/callback/.
Repo: wopr-network/wopr-platform-ui
File:
src/proxy.ts:158The CSRF exemption check uses
pathname.startsWith("/api/auth/callback/"). Any path beginning with that prefix is exempt from CSRF origin validation for POST requests. If a future route is added under/api/auth/callback/something-sensitive, it automatically inherits the CSRF exemption without an explicit security decision.Fix: Change to an exact set match on known OAuth callback paths (e.g.
new Set(["/api/auth/callback/google", "/api/auth/callback/github"]).has(pathname)) rather than a prefix. Alternatively, add a code comment requiring an explicit security review when adding new routes under/api/auth/callback/.