Skip to content

v0.19.1 - iOS PWA Session/CSRF Fixes

Choose a tag to compare

View all tags
@ulsklyc ulsklyc released this 14 Apr 15:38
· 1242 commits to main since this release
v0.19.1
e33c792

Fixed

  • iOS PWA: "Forbidden" errors after app resume - CSRF cookie was not renewed on /auth/me (the first API call after iOS kills and restarts the standalone webapp). iOS aggressively purges cookies of background webapps, causing CSRF token mismatch on all subsequent POST/PUT/DELETE requests
  • CSRF middleware hardening - added try-catch and hex validation to prevent server crash from corrupted token cookies
  • API client: automatic CSRF retry - state-changing requests that fail due to stale CSRF tokens are now transparently retried after renewing the token
  • Service Worker: iOS blank page fix - added 200ms delay before controllerchange reload to let the new SW complete clients.claim()

Full Changelog: v0.19.0...v0.19.1

Assets 2
Loading