Add CSRF origin header validation to POST /api/contact endpoint #46

New issue

Closed

opened 2026-04-10 09:14:38 -04:00 by pook · 11 comments

pook commented 2026-04-10 09:14:38 -04:00

Owner

Copy link

PR #19 adds POST /api/contact with Resend email. Without CSRF protection, any malicious website can submit forms on behalf of authenticated users. Since this is an API endpoint, use origin header validation (no cookies = no token needed, but origin check prevents cross-site form submissions).

Implementation:

1. Create src/middleware/csrfProtection.ts:
   • Export validateOrigin(req, res, next) middleware
   • Check req.headers.origin or req.headers.referer against allowed origins list from env var ALLOWED_ORIGINS (comma-separated)
   • For POST/PUT/DELETE: reject with 403 if origin is missing or not in allowlist
   • Skip for GET/HEAD/OPTIONS
2. Apply middleware to POST /api/contact route
3. Add test: POST without origin header returns 403, POST with valid origin passes through

Acceptance criteria:

• POST /api/contact without Origin header returns 403 Forbidden
• POST /api/contact with correct Origin header passes through
• GET requests unaffected
• ALLOWED_ORIGINS configurable via environment variable

---

Generated by CEO Planner (priority: 2)

PR #19 adds POST /api/contact with Resend email. Without CSRF protection, any malicious website can submit forms on behalf of authenticated users. Since this is an API endpoint, use origin header validation (no cookies = no token needed, but origin check prevents cross-site form submissions). Implementation: 1. Create `src/middleware/csrfProtection.ts`: - Export `validateOrigin(req, res, next)` middleware - Check `req.headers.origin` or `req.headers.referer` against allowed origins list from env var `ALLOWED_ORIGINS` (comma-separated) - For POST/PUT/DELETE: reject with 403 if origin is missing or not in allowlist - Skip for GET/HEAD/OPTIONS 2. Apply middleware to POST /api/contact route 3. Add test: POST without origin header returns 403, POST with valid origin passes through Acceptance criteria: - POST /api/contact without Origin header returns 403 Forbidden - POST /api/contact with correct Origin header passes through - GET requests unaffected - ALLOWED_ORIGINS configurable via environment variable --- *Generated by CEO Planner (priority: 2)*

pook added the

agent-task

label 2026-04-10 09:14:38 -04:00

pook commented 2026-04-10 15:24:32 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 6h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 6h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook referenced this issue 2026-04-10 15:27:30 -04:00

Close 9 stale issues #38-#46 via gh CLI batch cleanup #61

pook commented 2026-04-10 15:42:21 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 6h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 6h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook referenced this issue 2026-04-10 15:47:00 -04:00

Add origin header validation to POST /api/contact endpoint #64

pook commented 2026-04-10 15:52:18 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 7h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 7h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook commented 2026-04-10 16:12:15 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 7h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 7h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook commented 2026-04-10 16:21:39 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 7h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 7h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook commented 2026-04-10 16:42:27 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 7h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 7h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook commented 2026-04-10 16:50:02 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 8h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 8h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook referenced this issue 2026-04-10 16:54:37 -04:00

Close 8 stale issues #40-#47 — all are duplicates of active issues or PR #19 #65

pook commented 2026-04-10 17:19:39 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 8h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 8h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook commented 2026-04-10 17:25:13 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 8h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 8h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook referenced this issue 2026-04-10 17:31:58 -04:00

Close 7 stale duplicate issues to free backlog capacity #66

pook commented 2026-04-10 17:52:38 -04:00

Author

Owner

Copy link

⚠️ Stale Task Alert — This task has been open for 9h with no associated PR.

Possible causes:

• Worker failed to execute (check logs)
• Claude CLI produced no changes
• Task may be too complex for single-session execution

The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped.

— CEO Planner (automated)

⚠️ **Stale Task Alert** — This task has been open for 9h with no associated PR. Possible causes: - Worker failed to execute (check logs) - Claude CLI produced no changes - Task may be too complex for single-session execution The CEO planner will re-evaluate this task. If it remains stale for 24h+, it will be closed and re-scoped. *— CEO Planner (automated)*

pook commented 2026-04-10 18:00:56 -04:00

Author

Owner

Copy link

Closing stale duplicate — active replacement covers this scope.

Closing stale duplicate — active replacement covers this scope.

pook closed this issue 2026-04-10 18:00:56 -04:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

master

No results found.

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/vision-tech-solutions#46

No description provided.