fix(ingest): exempt /api/ingest-worker-logs from CSRF middleware #6

Merged
janpeter merged 1 commit from fix/ingest-csrf-exempt into main 2026-05-17 21:47:44 +02:00
Owner

The ingest endpoint is called by the worker-logs-ingest systemd timer via
localhost curl with a Bearer secret — no browser, no cookie, no CSRF token.
The middleware in proxy.ts blocked it with 403 before the route's own Bearer
check ran. Add a small exempt-paths list so server-to-server routes can
authenticate purely via Authorization header.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

The ingest endpoint is called by the worker-logs-ingest systemd timer via localhost curl with a Bearer secret — no browser, no cookie, no CSRF token. The middleware in proxy.ts blocked it with 403 before the route's own Bearer check ran. Add a small exempt-paths list so server-to-server routes can authenticate purely via Authorization header. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The ingest endpoint is called by the worker-logs-ingest systemd timer via
localhost curl with a Bearer secret — no browser, no cookie, no CSRF token.
The middleware in proxy.ts blocked it with 403 before the route's own Bearer
check ran. Add a small exempt-paths list so server-to-server routes can
authenticate purely via Authorization header.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
janpeter/Ops-dashboard!6
No description provided.