alai-dev/trade-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove CSRF requirement from login/register endpoints

Browse Source 
Anonymous users have no CSRF cookie, so require_csrf_token always
raises 403 on first visit. This broke all first-time logins and
registrations. CSRF protection is unnecessary here since there's
no authenticated session to forge requests against.
This commit is contained in:
TradeMate Dev
2026-05-30 21:39:02 +08:00
parent 4122571f86
commit fa3050a17c
1 changed files with 0 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/v1/auth.py
-2
View File
@@ -50,7 +50,6 @@ async def register(
data: RegisterRequest, data: RegisterRequest,
request: Request, request: Request,
db: AsyncSession = Depends(get_db), db: AsyncSession = Depends(get_db),
_csrf: str = Depends(require_csrf_token),
): ):
existing = await db.execute(select(User).where(User.phone == data.phone)) existing = await db.execute(select(User).where(User.phone == data.phone))
if existing.scalar_one_or_none(): if existing.scalar_one_or_none():
@@ -99,7 +98,6 @@ async def login(
data: LoginRequest, data: LoginRequest,
request: Request, request: Request,
db: AsyncSession = Depends(get_db), db: AsyncSession = Depends(get_db),
_csrf: str = Depends(require_csrf_token),
): ):
login_id = data.username or data.phone login_id = data.username or data.phone
if not login_id: if not login_id: