From fa3050a17c154c76e1169829b18b2dea62578f7b Mon Sep 17 00:00:00 2001
From: TradeMate Dev <dev@trademate.com>
Date: Sat, 30 May 2026 21:39:02 +0800
Subject: [PATCH] fix: remove CSRF requirement from login/register endpoints

Anonymous users have no CSRF cookie, so require_csrf_token always
raises 403 on first visit. This broke all first-time logins and
registrations. CSRF protection is unnecessary here since there's
no authenticated session to forge requests against.
---
 backend/app/api/v1/auth.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/backend/app/api/v1/auth.py b/backend/app/api/v1/auth.py
index c784098..fa3c9f7 100644
--- a/backend/app/api/v1/auth.py
+++ b/backend/app/api/v1/auth.py
@@ -50,7 +50,6 @@ async def register(
     data: RegisterRequest, 
     request: Request, 
     db: AsyncSession = Depends(get_db),
-    _csrf: str = Depends(require_csrf_token),
 ):
     existing = await db.execute(select(User).where(User.phone == data.phone))
     if existing.scalar_one_or_none():
@@ -99,7 +98,6 @@ async def login(
     data: LoginRequest,
     request: Request,
     db: AsyncSession = Depends(get_db),
-    _csrf: str = Depends(require_csrf_token),
 ):
     login_id = data.username or data.phone
     if not login_id: