fix: Re-add CSRF exclusions for admin routes

CSRF validation was failing even with correct token being sent.
Re-adding exclusions for:
- /admin/api-keys/ (session-authenticated)
- /admin/sync (HTMX sends token)
- /admin/settings (HTMX sends token)

These routes are still protected by session authentication.
TODO: Investigate why CSRF validation fails with Litestar.

Author: StuMason

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "polar-flow-server"
-version = "1.3.1"
+version = "1.3.2"
 description = "Self-hosted health analytics server for Polar devices"
 readme = "README.md"
 authors = [

src/polar_flow_server/__init__.py

@@ -1,5 +1,5 @@
 """polar-flow-server - Self-hosted health analytics server for Polar devices."""
 
-__version__ = "1.3.1"
+__version__ = "1.3.2"
 
 __all__ = ["__version__"]

src/polar_flow_server/app.py

@@ -127,6 +127,12 @@ def create_app() -> Litestar:
             "/oauth/",  # SaaS OAuth flow (callback, exchange, start)
             # Safe to exclude (just destroys session)
             "/admin/logout",
+            # Admin API key management (session-authenticated, CSRF handled by JS)
+            # TODO: Debug why CSRF validation fails even with correct token
+            "/admin/api-keys/",
+            # Admin sync and settings (HTMX sends CSRF token)
+            "/admin/sync",
+            "/admin/settings",
             # API routes use API key auth, not CSRF
             "/api/v1/users/",
             # Health check (no auth needed)