From 1c6c6d5931aa3f9effe13443aa79782b30073723 Mon Sep 17 00:00:00 2001
From: Gandalf <gandalf@storm.pl>
Date: Mon, 22 Dec 2025 22:35:48 +0100
Subject: [PATCH] fix: Add header validation to log_account endpoint

Align log_account endpoint with other auth endpoints by adding
request header validation.
---
 packages/middleware/lib/log-account-handler.ts    | 3 +++
 packages/smart-signer/components/auth/process.tsx | 6 +++++-
 packages/smart-signer/lib/auth/use-logout.ts      | 6 +++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/packages/middleware/lib/log-account-handler.ts b/packages/middleware/lib/log-account-handler.ts
index 601b1854d..eef113bbb 100644
--- a/packages/middleware/lib/log-account-handler.ts
+++ b/packages/middleware/lib/log-account-handler.ts
@@ -9,12 +9,15 @@ import {
     logLoginEvent
 } from './auth-proof-cookie';
 import { getClientIp } from './common-utils';
+import { checkCsrfHeader } from '@smart-signer/lib/csrf-protection';
 
 export async function handleLogAccount(req: NextApiRequest, res: NextApiResponse) {
     if (req.method !== 'POST') {
         return res.status(405).json({ error: 'Method not allowed' });
     }
 
+    checkCsrfHeader(req);
+
     const { type, username, authProof } = req.body;
     const ip = getClientIp(req);
 
diff --git a/packages/smart-signer/components/auth/process.tsx b/packages/smart-signer/components/auth/process.tsx
index 68a0f991c..9b194bcdf 100644
--- a/packages/smart-signer/components/auth/process.tsx
+++ b/packages/smart-signer/components/auth/process.tsx
@@ -11,6 +11,7 @@ import { LoginFormSchema as SignInFormSchema } from '../signin-form';
 import { getOperationForLogin } from '@smart-signer/lib/login-operation';
 import { getChain } from '@transaction/lib/chain';
 import { IOnlineTransaction, operation } from '@hiveio/wax';
+import { csrfHeaderName } from '@smart-signer/lib/csrf-protection';
 
 import { getLogger } from '@hive/ui/lib/logging';
 const logger = getLogger('app');
@@ -89,7 +90,10 @@ export const useProcessAuth = (authenticateOnBackend: boolean, strict: boolean)
 
       await fetch('/api/auth/log_account', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: {
+          'Content-Type': 'application/json',
+          [csrfHeaderName]: '1'
+        },
         body: JSON.stringify({
           type: 'login',
           username,
diff --git a/packages/smart-signer/lib/auth/use-logout.ts b/packages/smart-signer/lib/auth/use-logout.ts
index c15fd280b..abaef0f30 100644
--- a/packages/smart-signer/lib/auth/use-logout.ts
+++ b/packages/smart-signer/lib/auth/use-logout.ts
@@ -3,6 +3,7 @@ import { toast } from '@ui/components/hooks/use-toast';
 import { getSigner } from '@smart-signer/lib/signer/get-signer';
 import { useUser } from '@smart-signer/lib/auth/use-user';
 import { useSigner } from '@smart-signer/lib/use-signer';
+import { csrfHeaderName } from '@smart-signer/lib/csrf-protection';
 import { getLogger } from '@hive/ui/lib/logging';
 import { useRouter } from 'next/navigation';
 
@@ -24,7 +25,10 @@ export function useLogout(redirect?: string) {
         try {
           await fetch('/api/auth/log_account', {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: {
+              'Content-Type': 'application/json',
+              [csrfHeaderName]: '1'
+            },
             body: JSON.stringify({
               type: 'logout'
               // username and loginType will be read from the existing cookie
-- 
GitLab