fix(server): return 403 for CSRF errors instead of 500

theothersideofgod · claude · theothersideofgod · commit b1a0c7317067 · 2026-05-11T18:44:01.000+08:00
Add CSRF error detection to error handler so CSRF validation failures
return proper 403 Forbidden status instead of generic 500.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/graphql/server/src/middleware/error-handler.ts b/graphql/server/src/middleware/error-handler.ts
@@ -32,6 +32,11 @@ interface ErrorResponse {
   logLevel: 'warn' | 'error';
 }
 
+const isCsrfError = (err: Error): boolean => {
+  const code = (err as unknown as { code?: string }).code;
+  return typeof code === 'string' && code.startsWith('CSRF_');
+};
+
 const categorizeError = (err: Error): ErrorResponse => {
   if (isApiError(err)) {
     return {
@@ -41,6 +46,10 @@ const categorizeError = (err: Error): ErrorResponse => {
       logLevel: err.statusCode >= 500 ? 'error' : 'warn',
     };
   }
+  if (isCsrfError(err)) {
+    const code = (err as unknown as { code: string }).code;
+    return { statusCode: 403, code, message: err.message, logLevel: 'warn' };
+  }
   if (err.message?.includes('ECONNREFUSED') || err.message?.includes('connection terminated')) {
     return { statusCode: 503, code: 'SERVICE_UNAVAILABLE', message: sanitizeMessage(err), logLevel: 'error' };
   }
diff --git a/graphql/server/src/plugins/auth-cookie-plugin.ts b/graphql/server/src/plugins/auth-cookie-plugin.ts
@@ -203,10 +203,7 @@ export const AuthCookiePlugin: GraphileConfig.Plugin = {
   grafserv: {
     middleware: {
       processRequest: {
-        callback: async (
-          next: MiddlewareNext<Result | null>,
-          event: Parameters<GraphileConfig.GrafservMiddleware['processRequest']>[0]
-        ): Promise<Result | null> => {
+        callback: async (next, event) => {
           const result = await next();
 
           // Only process buffer results (JSON responses)
