marcel

marcel merged pull request marcel/familienarchiv#695

2026-05-30 14:39:14 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

marcel pushed to fix/csrf-missing-client-fetches at marcel/familienarchiv

2026-05-30 11:56:19 +02:00

397fc3c7e4 test(security): add unit tests for cookies.ts CSRF utilities

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:54 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🎨 Leonie Voss (@leonievoss) — UI/UX Design Lead

Verdict: ✅ Approved

This is a pure security infrastructure fix — no template changes, no style changes, no layout changes. Nothing…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:48 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🧪 Sara Holt (@saraholt) — QA Engineer

Verdict: ⚠️ Approved with concerns

Root cause fix: correct ✅

The fix to csrfFetch (function instead of module-level const) correctly…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:37 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ⚠️ Approved with concerns

The coverage is comprehensive and the implementation is correct. My one blocker is about test…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:24 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

📋 Elicit — Requirements Engineer

Verdict: ✅ Approved

The PR is well-scoped: it closes the gap between the stated requirement (all client-side mutating requests carry CSRF tokens) and…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:16 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🔧 Tobias Wendt (@tobiwendt) — DevOps & Platform Engineer

Verdict: ✅ Approved

No infrastructure changes. No Compose modifications, no CI workflow changes, no new services, no pinned…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:09 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🏗️ Markus Keller (@mkeller) — Application Architect

Verdict: ✅ Approved

Architecturally sound. csrfFetch belongs in $lib/shared/cookies.ts — it's cross-cutting infrastructure, and…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 11:47:01 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

The csrfFetch implementation is clean — single responsibility, well-named, and the JSDoc comment explains the…

marcel pushed to fix/csrf-missing-client-fetches at marcel/familienarchiv

2026-05-30 11:41:03 +02:00

5d8d85057d fix(security): make csrfFetch a function to respect vi.stubGlobal mocks

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:54:23 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

📋 Elicit — Requirements Engineer

Verdict: ⚠️ Approved with concerns

This PR closes an implicit, never-formally-documented security requirement. The fix is correct. My concern is…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:54:09 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

No visual, interaction, or accessibility changes in this PR — it's a purely functional security fix. But I…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:54:01 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

⚙️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

Pure TypeScript/Svelte change — nothing touches CI workflows, Docker Compose, image tags, environment variables, or…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:53:53 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🧪 Sara Holt — QA Engineer & Test Strategist

Verdict: 🚫 Changes requested

Eight bugs fixed, zero tests added. I can't approve a security bug fix without regression coverage — the whole…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:53:38 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ⚠️ Approved with concerns

This PR closes a real security gap. Eight client-side mutations were going out without…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:53:20 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

🏗️ Markus Keller — Application Architect

Verdict: ✅ Approved

Structurally sound. This is exactly the right place to put this abstraction: a shared utility in $lib/shared/cookies.ts…

marcel commented on pull request marcel/familienarchiv#695

2026-05-30 10:53:06 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ⚠️ Approved with concerns

The migration is clean, mechanically correct, and internally consistent. The csrfFetch naming is…

marcel created pull request marcel/familienarchiv#695

2026-05-30 10:51:41 +02:00

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests

marcel pushed to fix/csrf-missing-client-fetches at marcel/familienarchiv

2026-05-30 10:51:19 +02:00

58254b492b fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

marcel created branch fix/csrf-missing-client-fetches in marcel/familienarchiv

2026-05-30 10:51:19 +02:00