Skip to content

fix(client): fix csrf token when user refreshes, WIP hitting apps #1170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 19, 2025
Merged

fix(client): fix csrf token when user refreshes, WIP hitting apps #1170

merged 2 commits into from
May 19, 2025
+2 −2

Conversation

kunal0137
Copy link
Contributor

Description

(#483)

Changes Made

How to Test

  1. Steps to reproduce/test the behavior
  2. Expected outcomes

Notes

@memisrose
fix(client): fix csrf token when user refreshes, WIP hitting apps

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
34403f7
@kunal0137 kunal0137 requested a review from a team as a code owner May 19, 2025 13:06
@github-actions GitHub Actions
Copy link

@CodiumAI-Agent /describe

@CodiumAI-Agent
Copy link

Title

fix(client): fix csrf token when user refreshes, WIP hitting apps

User description

Description

(#483)

Changes Made

How to Test

  1. Steps to reproduce/test the behavior
  2. Expected outcomes

Notes

PR Type

Bug fix

Description

Enhanced CSRF enablement condition
Added configStore flag detection for CSRF
Fetched CSRF token for POST requests

Changes walkthrough 📝

Relevant files
Bug fix
App.tsx
Refine CSRF enablement check                                                         

packages/client/src/App.tsx

  • Broadened CSRF condition check
  • Integrated configStore.csrf flag
  • Ensured async CSRF token fetching
    		• +2/-2     
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    		•

    @kunal0137
    Merge branch 'dev' into csrf-bug
    Loading
    Loading status checks…
    e86ecd6
    @github-actions GitHub Actions
    Copy link

    @CodiumAI-Agent /review

    @github-actions GitHub Actions
    Copy link

    @CodiumAI-Agent /improve

    @CodiumAI-Agent
    Copy link

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    🎫 Ticket compliance analysis ✅

    483 - PR Code Verified

    Compliant requirements:

    • Detection of CSRF via dynamic configStore.config.csrf.
    • Fetching token when CSRF.token is absent before POST.

    Requires further human verification:

    • Verify in integration/UI tests that X-Csrf-Token is correctly added to real POST requests.
    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Undefined Store Access

    Accessing _store.configStore.store.config.csrf without ensuring configStore and its properties are initialized can cause runtime errors. Consider using optional chaining or delaying interceptor setup until after config is loaded.

     
    // Check the CSRF before login or after the configStore is set, then add the token
if (CSRF.isEnabled || _store.configStore.store.config.csrf) {
    if (config.method === 'post') {

    @CodiumAI-Agent
    Copy link

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Impact
    Possible issue
    Use safe property access

    Guard against potential undefined nested properties by using optional chaining when
    accessing the store config. This prevents runtime errors if configStore, store, or
    config is not yet initialized.

    packages/client/src/App.tsx [72]

    -if (CSRF.isEnabled || _store.configStore.store.config.csrf) {
+if (CSRF.isEnabled || _store.configStore?.store?.config?.csrf) {
    Suggestion importance[1-10]: 8

    __

    Why: The optional chaining prevents runtime errors if configStore or its nested properties are undefined when evaluating the CSRF condition.

    		Medium
    General
    Abstract CSRF check logic

    Encapsulate the CSRF enablement check into a helper method (e.g.,
    CSRF.shouldAttachToken) to centralize logic and improve readability.

    packages/client/src/App.tsx [72]

    -if (CSRF.isEnabled || _store.configStore.store.config.csrf) {
+if (CSRF.shouldAttachToken(_store.configStore?.store?.config?.csrf)) {
    Suggestion importance[1-10]: 5

    __

    Why: Encapsulating the check into CSRF.shouldAttachToken improves readability but is a minor refactor requiring a new helper implementation.

    		Low

    @kunal0137 kunal0137 merged commit 432c27a into dev May 19, 2025
    3 checks passed
    @kunal0137 kunal0137 deleted the csrf-bug branch May 19, 2025 13:19
    @kunal0137 kunal0137 restored the csrf-bug branch May 19, 2025 13:19
    @github-actions GitHub Actions
    Copy link

    @CodiumAI-Agent /update_changelog

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers
    No reviews
    Assignees
    No one assigned
    Labels
    None yet
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.

    None yet
    3 participants
    @kunal0137 @CodiumAI-Agent @memisrose