File tree Expand file tree Collapse file tree 1 file changed +8
-1
lines changed
Expand file tree Collapse file tree 1 file changed +8
-1
lines changed Original file line number Diff line number Diff line change @@ -222,7 +222,8 @@ export async function createServer(): Promise<CloudServer> {
222222 const isWorkspaceProxyRoute = ( path : string ) => / ^ \/ a p i \/ w o r k s p a c e s \/ [ ^ / ] + \/ p r o x y \/ / . test ( path ) ;
223223 app . use ( ( req : Request , res : Response , next : NextFunction ) => {
224224 // Skip CSRF for webhook endpoints and workspace proxy routes
225- if ( CSRF_EXEMPT_PATHS . some ( path => req . path . startsWith ( path ) ) || isWorkspaceProxyRoute ( req . path ) ) {
225+ const isExemptPath = CSRF_EXEMPT_PATHS . some ( exemptPath => req . path . startsWith ( exemptPath ) ) ;
226+ if ( isExemptPath || isWorkspaceProxyRoute ( req . path ) ) {
226227 return next ( ) ;
227228 }
228229
@@ -252,6 +253,12 @@ export async function createServer(): Promise<CloudServer> {
252253 return next ( ) ;
253254 }
254255
256+ // Skip CSRF for admin API key authenticated requests
257+ const adminSecret = req . get ( 'x-admin-secret' ) ;
258+ if ( adminSecret ) {
259+ return next ( ) ;
260+ }
261+
255262 // Skip CSRF for test endpoints in non-production
256263 if ( process . env . NODE_ENV !== 'production' && req . path . startsWith ( '/api/test/' ) ) {
257264 return next ( ) ;
You can’t perform that action at this time.
0 commit comments