Skip to content

fix: send CSRF token for agent controls#420

Merged
xlabtg merged 2 commits intoxlabtg:mainfrom
konard:issue-419-7bf2be69dd38
Apr 25, 2026
Merged

fix: send CSRF token for agent controls#420
xlabtg merged 2 commits intoxlabtg:mainfrom
konard:issue-419-7bf2be69dd38

Conversation

@konard
Copy link
Copy Markdown

@konard konard commented Apr 25, 2026
edited
Loading

Summary

  • Route the sidebar Start Agent and Stop Agent actions through the shared WebUI API client.
  • Preserve the existing 10s abort behavior while letting the shared client attach credentials, JSON headers, and the X-CSRF-Token header for mutating requests.
  • Add a regression test proving api.agentStop() reads teleton_csrf from document.cookie and sends it as X-CSRF-Token.

Reproduction

Before this change, the Stop Agent button used a raw fetch('/api/agent/stop', { method: 'POST' }), bypassing the shared API client. The WebUI CSRF middleware requires the value of the teleton_csrf cookie in the X-CSRF-Token header for POST requests, so the stop request was rejected with:

CSRF token missing or invalid. Include the value of the 'teleton_csrf' cookie in the 'X-CSRF-Token' request header.

Verification

  • npx vitest run web/src/lib/__tests__/api.test.ts
  • npm run build:sdk
  • npm run typecheck
  • npm run lint
  • npm test

Fixes #419

@konard
Initial commit with task details
839459d 
Adding .gitkeep for PR creation (default mode).
This file will be removed when the task is complete.

Issue: xlabtg#419
@konard konard changed the title [WIP] Failed to stop agent fix: send CSRF token for agent controls Apr 25, 2026
@konard konard marked this pull request as ready for review April 25, 2026 03:46
@konard
Copy link
Copy Markdown
Author

konard commented Apr 25, 2026

Solution summary

Implemented and pushed the fix for issue 419.

PR: #420

What changed:

  • AgentControl now uses the shared api.agentStart() / api.agentStop() client instead of raw fetch.
  • The shared client attaches X-CSRF-Token from the teleton_csrf cookie for mutating requests, fixing the Stop Agent failure.
  • Added a regression test covering api.agentStop() CSRF header behavior.
  • Updated PR title/body and marked PR 420 ready for review.

Verification:

  • npx vitest run web/src/lib/__tests__/api.test.ts passed
  • npm run build:sdk passed
  • npm run typecheck passed
  • npm run lint passed
  • npm test passed: 198 files, 3436 tests
  • GitHub PR checks are passing; PR is mergeable and no longer draft.

Working tree is clean for tracked files. Local ignored artifacts remain from verification only: node_modules/, logs, and packages/sdk/dist/.

This summary was automatically extracted from the AI working session output.

@konard
Copy link
Copy Markdown
Author

konard commented Apr 25, 2026

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Model: GPT-5.5
  • Provider: OpenAI
  • Public pricing estimate: $4.950863

📊 Context and tokens usage:

  • 3.2M / 1.1M (303%) input tokens, 8.9K / 130K (7%) output tokens

Total: (151.4K + 3.0M cached) input tokens, 8.9K output tokens, $4.950863 cost

🤖 Models used:

  • Tool: OpenAI Codex
  • Requested: gpt-5.5
  • Model: GPT-5.5 (gpt-5.5)

📎 Log file uploaded as Gist (12770KB)

Now working session is ended, feel free to review and add any feedback on the solution draft.

@xlabtg xlabtg merged commit be7dff9 into xlabtg:main Apr 25, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Failed to stop agent

2 participants

@konard @xlabtg