openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve recurring iOS PWA forbidden errors via CSRF response header

Browse Source 
iOS Safari in PWA standalone mode unreliably handles cookies, causing
CSRF token desync between client and server after app resume. Previous
fixes (response body token in /auth/me and /auth/login) still left a
window where the token could go stale.

Now the server sends X-CSRF-Token response header on every API response
(via csrfMiddleware), including 403 error responses. The client reads
this header from every response, enabling instant self-healing: a 403
extracts the correct token from the error response itself and retries
without needing an extra /auth/me round-trip.

SW cache bumped to v33 to ensure existing iOS PWA installs pick up the
new client code.
This commit is contained in:
Ulas
2026-04-15 18:15:40 +02:00
parent e384ae1037
commit ee609376a3
4 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/middleware/csrf.js
+4
View File
@@ -41,6 +41,10 @@ function csrfMiddleware(req, res, next) {
maxAge: 1000 * 60 * 60 * 24 * 7, // 7 Tage (gleich wie Session)
});
// Token auch als Response-Header senden (zuverlaessiger als Cookie auf iOS-PWA,
// und bei jedem Request aktuell - nicht nur bei /auth/me und /auth/login)
res.setHeader('X-CSRF-Token', req.session.csrfToken);
// Safe Methods benötigen keine Validierung
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) {
return next();