fix: remove CSRF requirement from login/register endpoints

Anonymous users have no CSRF cookie, so require_csrf_token always raises 403 on first visit. This broke all first-time logins and registrations. CSRF protection is unnecessary here since there's no authenticated session to forge requests against.
2026-05-30 21:39:02 +08:00
parent 4122571f86
commit fa3050a17c
1 changed files with 0 additions and 2 deletions
@@ -50,7 +50,6 @@ async def register(
    data: RegisterRequest, 
    request: Request, 
    db: AsyncSession = Depends(get_db),
-    _csrf: str = Depends(require_csrf_token),
 ):
    existing = await db.execute(select(User).where(User.phone == data.phone))
    if existing.scalar_one_or_none():
@@ -99,7 +98,6 @@ async def login(
    data: LoginRequest,
    request: Request,
    db: AsyncSession = Depends(get_db),
-    _csrf: str = Depends(require_csrf_token),
 ):
    login_id = data.username or data.phone
    if not login_id: