chore(release): 4.2.1 — register extension.manager.supports_csrf_post feature flag#2823
Merged
ltdrdata merged 1 commit intomanager-v4from Apr 22, 2026
Merged
Conversation
ltdrdata
force-pushed
the
fix/csrf-post-feature-flag
branch
2 times, most recently
from
923dd15 to
89c0bf3
Compare
… feature flag Lets clients detect CSRF-POST backend support via ComfyUI core's feature_flags instead of parsing version strings. Absence of the flag indicates a Manager version < 4.2.1 that is incompatible with POST-only state-mutation endpoints. Follow-up to #2818; no endpoint or security behavior change.
ltdrdata
force-pushed
the
fix/csrf-post-feature-flag
branch
from
89c0bf3 to
81935bd
Compare
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 22, 2026
Align with Comfy-Org/ComfyUI-Manager backend changes: - #2818 (4.2.0): CSRF Content-Type gate + GET→POST migration for state-mutation endpoints. - #2823 (4.2.1): register `extension.manager.supports_csrf_post` server feature flag so clients can detect POST-capable backends without version string parsing. Service layer (comfyManagerService): - Convert START_QUEUE, UPDATE_ALL, UPDATE_COMFYUI, REBOOT to POST with body=null and preserved query params. Backend's reject_simple_form_post gate allows body=null + axios default application/json header; only the three CORS simple-form types (x-www-form-urlencoded, multipart/form-data, text/plain) are rejected. UI/state layer (useManagerState): - Add ManagerUIState.INCOMPATIBLE — entered when the backend advertises supports_manager_v4 but not supports_csrf_post (old Manager that cannot handle the new POST endpoints). Manager UI is treated as "not installed": shouldShowManagerButtons returns false and consumers (TopMenuSection, MissingNodeCard, MissingPackGroupRow, TabErrors) hide their entry points without any call-site change. - Graceful degraded mode while users remain on Manager <4.2.1: one-shot upgrade toast (warn, 15s) dispatched via watch(immediate:true) with a module-level guard that survives multiple composable instances; openManager() re-emits on explicit user action so stale shortcuts still surface guidance. - i18n (en/ko) for the upgrade-required notification covering Desktop / standalone pip / Manager UI self-update paths. Existing policies preserved: - `--enable-manager` absent → DISABLED (unchanged). - `--enable-manager-legacy-ui` → LEGACY_UI (unchanged). - server feature flags not yet loaded (undefined) → NEW_UI transient fallback (unchanged). Refs: Comfy-Org/ComfyUI-Manager#2818, Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 22, 2026
Align with Comfy-Org/ComfyUI-Manager backend changes: - #2818 (4.2.0): CSRF Content-Type gate + GET→POST migration for state-mutation endpoints. - #2823 (4.2.1): register `extension.manager.supports_csrf_post` server feature flag so clients can detect POST-capable backends without version string parsing. Service layer (comfyManagerService): - Convert START_QUEUE, UPDATE_ALL, UPDATE_COMFYUI, REBOOT to POST with body=null and preserved query params. Backend's reject_simple_form_post gate allows body=null + axios default application/json header; only the three CORS simple-form types (x-www-form-urlencoded, multipart/form-data, text/plain) are rejected. UI/state layer (useManagerState): - Add ManagerUIState.INCOMPATIBLE — entered when the backend advertises supports_manager_v4 but not supports_csrf_post (old Manager that cannot handle the new POST endpoints). Manager UI is treated as "not installed": shouldShowManagerButtons returns false and consumers (TopMenuSection, MissingNodeCard, MissingPackGroupRow, TabErrors) hide their entry points without any call-site change. - Graceful degraded mode while users remain on Manager <4.2.1: one-shot upgrade toast (warn, 15s) dispatched via watch(immediate:true) with a module-level guard that survives multiple composable instances; openManager() re-emits on explicit user action so stale shortcuts still surface guidance. - i18n (en/ko) for the upgrade-required notification covering Desktop / standalone pip / Manager UI self-update paths. Existing policies preserved: - `--enable-manager` absent → DISABLED (unchanged). - `--enable-manager-legacy-ui` → LEGACY_UI (unchanged). - server feature flags not yet loaded (undefined) → NEW_UI transient fallback (unchanged). Refs: Comfy-Org/ComfyUI-Manager#2818, Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 22, 2026
Without this flag, the ManagerUIState resolver returns INCOMPATIBLE and Comfy.OpenManagerDialog fires the upgrade toast instead of opening the manager dialog, regressing all 9 tests in this spec. Refs: Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 23, 2026
…g spec `mockServerFeatures()` intercepts `/api/features` HTTP, but `serverFeatureFlags` is populated exclusively via the WebSocket `feature_flags` handler (src/scripts/api.ts:751-758), so the mock never reaches `useManagerState`. Replace with the reactive-ref mutation pattern documented in `shareWorkflowDialog.spec.ts:34-48` so that `supports_v4` + `supports_csrf_post` are actually observable by the INCOMPATIBLE gate introduced in this PR. Without this, all 9 tests in this file regressed under the new gate: the `OpenManagerDialog` command resolved to INCOMPATIBLE and fired the upgrade toast instead of opening the dialog. Refs: Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 23, 2026
Align with Comfy-Org/ComfyUI-Manager backend changes: - #2818 (4.2.0): CSRF Content-Type gate + GET→POST migration for state-mutation endpoints. - #2823 (4.2.1): register `extension.manager.supports_csrf_post` server feature flag so clients can detect POST-capable backends without version string parsing. Service layer (comfyManagerService): - Convert START_QUEUE, UPDATE_ALL, UPDATE_COMFYUI, REBOOT to POST with body=null and preserved query params. Backend's reject_simple_form_post gate allows body=null + axios default application/json header; only the three CORS simple-form types (x-www-form-urlencoded, multipart/form-data, text/plain) are rejected. UI/state layer (useManagerState): - Add ManagerUIState.INCOMPATIBLE — entered when the backend advertises supports_manager_v4 but not supports_csrf_post (old Manager that cannot handle the new POST endpoints). Manager UI is treated as "not installed": shouldShowManagerButtons returns false and consumers (TopMenuSection, MissingNodeCard, MissingPackGroupRow, TabErrors) hide their entry points without any call-site change. - Graceful degraded mode while users remain on Manager <4.2.1: one-shot upgrade toast (warn, 15s) dispatched via watch(immediate:true) with a module-level guard that survives multiple composable instances; openManager() re-emits on explicit user action so stale shortcuts still surface guidance. - i18n (en/ko) for the upgrade-required notification covering Desktop / standalone pip / Manager UI self-update paths. Existing policies preserved: - `--enable-manager` absent → DISABLED (unchanged). - `--enable-manager-legacy-ui` → LEGACY_UI (unchanged). - server feature flags not yet loaded (undefined) → NEW_UI transient fallback (unchanged). Refs: Comfy-Org/ComfyUI-Manager#2818, Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 23, 2026
…g spec `mockServerFeatures()` intercepts `/api/features` HTTP, but `serverFeatureFlags` is populated exclusively via the WebSocket `feature_flags` handler (src/scripts/api.ts:751-758), so the mock never reaches `useManagerState`. Replace with the reactive-ref mutation pattern documented in `shareWorkflowDialog.spec.ts:34-48` so that `supports_v4` + `supports_csrf_post` are actually observable by the INCOMPATIBLE gate introduced in this PR. Without this, all 9 tests in this file regressed under the new gate: the `OpenManagerDialog` command resolved to INCOMPATIBLE and fired the upgrade toast instead of opening the dialog. Refs: Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 23, 2026
Align with Comfy-Org/ComfyUI-Manager backend changes: - #2818 (4.2.0): CSRF Content-Type gate + GET→POST migration for state-mutation endpoints. - #2823 (4.2.1): register `extension.manager.supports_csrf_post` server feature flag so clients can detect POST-capable backends without version string parsing. Service layer (comfyManagerService): - Convert START_QUEUE, UPDATE_ALL, UPDATE_COMFYUI, REBOOT to POST with body=null and preserved query params. Backend's reject_simple_form_post gate allows body=null + axios default application/json header; only the three CORS simple-form types (x-www-form-urlencoded, multipart/form-data, text/plain) are rejected. UI/state layer (useManagerState): - Add ManagerUIState.INCOMPATIBLE — entered when the backend advertises supports_manager_v4 but not supports_csrf_post (old Manager that cannot handle the new POST endpoints). Manager UI is treated as "not installed": shouldShowManagerButtons returns false and consumers (TopMenuSection, MissingNodeCard, MissingPackGroupRow, TabErrors) hide their entry points without any call-site change. - Graceful degraded mode while users remain on Manager <4.2.1: one-shot upgrade toast (warn, 15s) dispatched via watch(immediate:true) with a module-level guard that survives multiple composable instances; openManager() re-emits on explicit user action so stale shortcuts still surface guidance. - i18n (en/ko) for the upgrade-required notification covering Desktop / standalone pip / Manager UI self-update paths. Existing policies preserved: - `--enable-manager` absent → DISABLED (unchanged). - `--enable-manager-legacy-ui` → LEGACY_UI (unchanged). - server feature flags not yet loaded (undefined) → NEW_UI transient fallback (unchanged). Refs: Comfy-Org/ComfyUI-Manager#2818, Comfy-Org/ComfyUI-Manager#2823
ltdrdata
added a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 23, 2026
…g spec `mockServerFeatures()` intercepts `/api/features` HTTP, but `serverFeatureFlags` is populated exclusively via the WebSocket `feature_flags` handler (src/scripts/api.ts:751-758), so the mock never reaches `useManagerState`. Replace with the reactive-ref mutation pattern documented in `shareWorkflowDialog.spec.ts:34-48` so that `supports_v4` + `supports_csrf_post` are actually observable by the INCOMPATIBLE gate introduced in this PR. Without this, all 9 tests in this file regressed under the new gate: the `OpenManagerDialog` command resolved to INCOMPATIBLE and fired the upgrade toast instead of opening the dialog. Refs: Comfy-Org/ComfyUI-Manager#2823
christian-byrne
pushed a commit
to Comfy-Org/ComfyUI_frontend
that referenced
this pull request
Apr 23, 2026
## Summary Align `comfyManagerService` and Manager UI state with CSRF hardening in [Comfy-Org/ComfyUI-Manager#2818](Comfy-Org/ComfyUI-Manager#2818) (4.2.0, Content-Type gate + GET→POST migration) and [Comfy-Org/ComfyUI-Manager#2823](Comfy-Org/ComfyUI-Manager#2823) (4.2.1, `extension.manager.supports_csrf_post` feature flag). ## Changes - **Service layer**: Convert 4 state-mutation endpoints (`START_QUEUE`, `UPDATE_ALL`, `UPDATE_COMFYUI`, `REBOOT`) from GET to POST. `body=null` + axios default `Content-Type: application/json` is allowed by the backend's `reject_simple_form_post` gate (only the three CORS simple-form types are rejected). - **UI/state layer**: Add `ManagerUIState.INCOMPATIBLE` triggered when the backend advertises `supports_manager_v4` but not `supports_csrf_post`. Manager UI is treated as "not installed" — buttons hide via `shouldShowManagerButtons` with zero call-site changes across `TopMenuSection`, `MissingNodeCard`, `MissingPackGroupRow`, `TabErrors`. - **Graceful degraded mode**: One-shot upgrade toast (warn, 15s) dispatched via `watch(immediate:true)` with a module-level guard that survives multiple composable instances. `openManager()` re-emits on explicit user action so stale shortcuts still surface guidance. i18n (en/ko) covering Desktop / standalone pip / Manager UI self-update paths. - **Breaking**: None. Existing policies preserved (`--enable-manager` absent → `DISABLED`; `--enable-manager-legacy-ui` → `LEGACY_UI`; feature flags not yet loaded → `NEW_UI` transient fallback). ## Review Focus - Decision-tree ordering in `useManagerState.ts`: `supports_csrf_post` check evaluates before `NEW_UI`/`LEGACY_UI` branches so stale Manager backends never reach the enabled paths. - Toast guard: module-level `incompatibleToastShown` survives multiple composable instances (tests verify 3× `useManagerState()` = 1 toast call). - `generatedManagerTypes.ts` still declares the 4 endpoints as GET; regeneration follows once Manager 4.2.1 OpenAPI is published. Runtime is unaffected since axios operates on the route string. ## References - [Comfy-Org/ComfyUI-Manager#2818](Comfy-Org/ComfyUI-Manager#2818) — CSRF Content-Type gate + GET→POST migration (4.2.0) - [Comfy-Org/ComfyUI-Manager#2823](Comfy-Org/ComfyUI-Manager#2823) — `supports_csrf_post` feature flag (4.2.1) - [comfyui-manager 4.2.1 on PyPI](https://pypi.org/project/comfyui-manager/4.2.1) — release package
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #2818. Registers a server-push feature flag so clients can detect CSRF-POST backend capability via ComfyUI core's
feature_flagsmechanism instead of parsing version strings.extension.manager.supports_csrf_post = True, registered at Manager import time incomfyui_manager/__init__.pyviacomfy_api.feature_flags.SERVER_FEATURE_FLAGS.ImportErroron older ComfyUI cores withoutcomfy_api.feature_flagsis swallowed silently — Manager continues to function, clients simply do not observe the flag.Version bump
pyproject.toml: 4.2.0 → 4.2.1 (SSOT;importlib.metadata.version("comfyui-manager")reads from here)CHANGELOG.md: new## [4.2.1] - 2026-04-22entryTest plan
python -c "from comfy_api import feature_flags; import comfyui_manager; print(feature_flags.SERVER_FEATURE_FLAGS['extension']['manager']['supports_csrf_post'])"-> Truecomfy_api.feature_flags(Manager still imports, no exception propagated).