fix(ingest): exempt /api/ingest-worker-logs from CSRF middleware #6
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "fix/ingest-csrf-exempt"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The ingest endpoint is called by the worker-logs-ingest systemd timer via
localhost curl with a Bearer secret — no browser, no cookie, no CSRF token.
The middleware in proxy.ts blocked it with 403 before the route's own Bearer
check ran. Add a small exempt-paths list so server-to-server routes can
authenticate purely via Authorization header.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com