fix: resolve recurring iOS PWA forbidden errors via CSRF response header
iOS Safari in PWA standalone mode unreliably handles cookies, causing CSRF token desync between client and server after app resume. Previous fixes (response body token in /auth/me and /auth/login) still left a window where the token could go stale. Now the server sends X-CSRF-Token response header on every API response (via csrfMiddleware), including 403 error responses. The client reads this header from every response, enabling instant self-healing: a 403 extracts the correct token from the error response itself and retries without needing an extra /auth/me round-trip. SW cache bumped to v33 to ensure existing iOS PWA installs pick up the new client code.
This commit is contained in:
Ulas
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Fixed
|
||||
- iOS PWA: recurring "forbidden" (403) errors caused by CSRF token desync after app resume. The server now sends the correct CSRF token as `X-CSRF-Token` response header on every API response (not just `/auth/me` and `/auth/login`). The client reads the header from every response - including 403 errors - enabling instant self-healing without an extra `/auth/me` round-trip. SW cache bumped to v33 to ensure iOS PWA users pick up the fix.
|
||||
|
||||
## [0.20.0] - 2026-04-15
|
||||
|
||||
### Added
|
||||
|
||||
Reference in New Issue
Block a user