fixes

HardMax71 · HardMax71 · commit c2ed952cd76a · 2025-07-06T19:23:29.000+02:00
diff --git a/backend/app/api/routes/auth.py b/backend/app/api/routes/auth.py
@@ -94,7 +94,7 @@ async def login(
     # Generate CSRF token for the session
     session_id = security_service.get_session_id_from_request(request)
     csrf_token = security_service.generate_csrf_token(session_id)
-    
+
     return {"message": "Login successful", "username": user.username, "csrf_token": csrf_token}
 
 
@@ -183,7 +183,7 @@ async def verify_token(
         # Generate fresh CSRF token for authenticated session
         session_id = security_service.get_session_id_from_request(request)
         csrf_token = security_service.generate_csrf_token(session_id)
-        
+
         return {"valid": True, "username": current_user.username, "csrf_token": csrf_token}
 
     except Exception as e:
diff --git a/backend/app/api/routes/execution.py b/backend/app/api/routes/execution.py
@@ -1,7 +1,6 @@
 from app.core.exceptions import IntegrationException
 from app.core.logging import logger
 from app.core.metrics import ACTIVE_EXECUTIONS, EXECUTION_DURATION, SCRIPT_EXECUTIONS
-from app.core.security import validate_csrf_token
 from app.schemas.execution import (
     ExampleScripts,
     ExecutionRequest,
diff --git a/backend/app/core/security.py b/backend/app/core/security.py
@@ -7,8 +7,8 @@
 from app.schemas.user import UserInDB
 from fastapi import Depends, HTTPException, Request, status
 from fastapi.security import OAuth2PasswordBearer
+from itsdangerous import BadSignature, SignatureExpired, URLSafeTimedSerializer
 from passlib.context import CryptContext
-from itsdangerous import URLSafeTimedSerializer, BadSignature, SignatureExpired
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/login")
 
@@ -89,7 +89,7 @@ def validate_csrf_token(self, token: str, session_id: str) -> bool:
         """Validate a CSRF token"""
         try:
             data = self.csrf_serializer.loads(token, max_age=3600)  # 1 hour
-            return data.get("session_id") == session_id
+            return bool(data.get("session_id") == session_id)
         except (BadSignature, SignatureExpired):
             return False
 
@@ -98,7 +98,7 @@ def get_session_id_from_request(self, request: Request) -> str:
         token = request.cookies.get("access_token")
         if token:
             return token[:32]  # Use first 32 chars as session ID
-        
+
         # Fallback to client fingerprint
         client_ip = request.client.host if request.client else "unknown"
         user_agent = request.headers.get("user-agent", "unknown")
@@ -113,35 +113,35 @@ def validate_csrf_token(request: Request) -> str:
     # Skip CSRF validation for safe methods
     if request.method in ["GET", "HEAD", "OPTIONS"]:
         return "skip"
-    
+
     # Skip CSRF validation for auth endpoints
     if request.url.path in ["/api/v1/login", "/api/v1/register", "/api/v1/logout"]:
         return "skip"
-    
+
     # Skip CSRF validation for non-API endpoints
     if not request.url.path.startswith("/api/"):
         return "skip"
-    
+
     # Check if user is authenticated first (has access_token cookie)
     access_token = request.cookies.get("access_token")
     if not access_token:
         # If not authenticated, skip CSRF validation (auth will be handled by other dependencies)
         return "skip"
-    
+
     # Get CSRF token from request
     csrf_token = request.headers.get("X-CSRF-Token")
     if not csrf_token:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="CSRF token missing"
         )
-    
+
     # Validate CSRF token
     session_id = security_service.get_session_id_from_request(request)
     if not security_service.validate_csrf_token(csrf_token, session_id):
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="CSRF token invalid"
         )
-    
+
     return csrf_token
