fix: Pass CSRF token to auto-discovery HTMX partials #729
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
January 14, 2026 23:26
Fixes "invalid CSRF token" error when clicking Add button on auto-discovery page. Root cause: HTMX partials for GitLab/GitHub repository listings were not passing csrf_token to template context, causing forms to submit with empty CSRF tokens. Changes: - _build_gitlab_repos_response(): Get csrf_token from cookie and pass to template - _build_github_repos_response(): Same fix for GitHub partials - Added CSRF_TOKEN_BUG_ANALYSIS.md documenting the issue and solution The fix retrieves the existing CSRF token from the cookie (preserving session token) or generates a new one if needed.
Fixes CSRF validation errors for golden repo delete/refresh and activated repo deactivate actions. Changes: - golden_repo_details(): Retrieve csrf_token from cookie instead of generating new one - repo_details(): Same fix for activated repos Previously these endpoints generated NEW tokens that didn't match the cookie, causing CSRF validation to fail when forms were submitted.
The previous fix retrieved/generated CSRF tokens but didn't set the cookie, causing validation failures when new tokens were generated. Root cause: Partials that generate new CSRF tokens must also set the cookie so the browser sends the matching token on form submission. Fixed in 4 functions: - _build_gitlab_repos_response(): Added set_csrf_cookie() - _build_github_repos_response(): Added set_csrf_cookie() - golden_repo_details(): Added set_csrf_cookie() - repo_details(): Added set_csrf_cookie() Tested: Auto-discovery Add, golden repo Delete/Refresh, and activated repo Deactivate all now work without CSRF validation errors.
jbendson
pushed a commit
that referenced
this pull request
Jan 19, 2026
Documents changes since v8.5.2: - Hybrid authentication for web UI endpoints (PR #730) - CSRF token handling fixes (PR #729) - Callback-based delegation job completion (Story #720) - Server stability improvements (Epic #733) This commit prepares for creating the v8.5.3 git tag, which will enable pipx installation at this version.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes "invalid CSRF token" error when clicking Add button on auto-discovery page.
Root cause: HTMX partials for GitLab/GitHub repository listings were not passing csrf_token to template context, causing forms to submit with empty CSRF tokens.
Changes:
The fix retrieves the existing CSRF token from the cookie (preserving session token) or generates a new one if needed.