feat: csrf tokens handling

2025-12-04 06:13:03 +03:00 · 2025-12-04 06:13:03 +03:00 · 6995ce58f6
commit 6995ce58f6
parent ab29c33f5b
12 changed files with 233 additions and 5 deletions
--- a/api/parameters/_index.yaml
+++ b/api/parameters/_index.yaml
@ -1,4 +1,10 @@
 cursor:
  $ref: "./cursor.yaml"
 title_sort:
-  $ref: "./title_sort.yaml"
+  $ref: "./title_sort.yaml"
+accessToken:
+  $ref: "./access_token.yaml"
+csrfToken:
+  $ref: "./xsrf_token_cookie.yaml"
+csrfTokenHeader:
+  $ref: "./xsrf_token_header.yaml"
--- a/api/parameters/access_token.yaml
+++ b/api/parameters/access_token.yaml
@ -0,0 +1,9 @@
+name: access_token
+in: cookie
+required: true
+schema:
+  type: string
+  format: jwt
+example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.x.y"
+description: |
+  JWT access token.
--- a/api/parameters/xsrf_token_cookie.yaml
+++ b/api/parameters/xsrf_token_cookie.yaml
@ -0,0 +1,11 @@
+name: XSRF-TOKEN
+in: cookie
+required: true
+schema:
+  type: string
+  pattern: "^[a-zA-Z0-9_-]{32,64}$"
+example: "abc123def456ghi789jkl012mno345pqr"
+description: |
+  Anti-CSRF token (Double Submit Cookie pattern).
+  Stored in non-HttpOnly cookie, readable by JavaScript.
+  Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).
--- a/api/parameters/xsrf_token_header.yaml
+++ b/api/parameters/xsrf_token_header.yaml
@ -0,0 +1,10 @@
+name: X-XSRF-TOKEN
+in: header
+required: true
+schema:
+  type: string
+  pattern: "^[a-zA-Z0-9_-]{32,64}$"
+description: |
+  Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
+  Required for all state-changing requests (POST/PUT/PATCH/DELETE).
+example: "abc123def456ghi789jkl012mno345pqr"