feat(auth): add CSRF token generation and validation

[halvaradop]

Description

This pull request introduces full support for CSRF (Cross-Site Request Forgery) tokens across the authentication flows.
CSRF tokens are cryptographically strong, randomized, and unpredictable values designed to protect users from unauthorized actions attempted by attackers. These tokens ensure that critical operations, especially those triggered via POST, DELETE, or PATCH requests, cannot be executed without explicit user intent.

By validating CSRF tokens, the library prevents attackers from forcing users to perform unwanted actions such as signing out or modifying account data.

CSRF Token Management

To support secure generation and validation of CSRF tokens, a new endpoint has been introduced:

• /csrfToken
  This endpoint is responsible for issuing and verifying CSRF tokens:
  • If the user does not yet have a CSRF token, the endpoint generates a new one.
  • If the user already has a CSRF token, the endpoint verifies whether it is valid.
    • If valid -> the token is returned.
    • If invalid -> a new token is generated.

These tokens are then used internally by routes that require strong CSRF protection.

Endpoints Using CSRF Tokens

• /callback/:oauth
  Generates the CSRF token for the authenticated session after a successful OAuth callback.

• /signOut
  Validates the CSRF token before revoking the active session.

  • If the token is valid -> the session is closed.
  • If invalid -> the sign out operation is rejected.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
auth	Ready	Preview	Comment	Nov 25, 2025 9:59pm