feat(sdk): attach csrf tokens in sdk pixel triggers

[johbaxter]

Description

Changes Made

How to Test

1. Steps to reproduce/test the behavior
2. Expected outcomes

Notes

[github-actions]

@CodiumAI-Agent /describe

[QodoAI-Agent]

Title

feat(sdk): attach csrf tokens in sdk pixel triggers

---

User description

Description

Changes Made

How to Test

1. Steps to reproduce/test the behavior
2. Expected outcomes

Notes

---

PR Type

Bug fix

---

Description

• Invert CSRF.isEnabled check in request interceptor

• Comment out CSRF token retrieval and storage

• Always add X-CSRF-Token header for pixel calls

---

Changes walkthrough 📝

	Relevant files
Bug fix	api.ts Refine CSRF logic and headers                                                        libs/sdk/src/api/api.ts Invert CSRF enable check conditional Disable CSRF token assignment from response Add X-CSRF-Token header to pixel endpoints +5/-3

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

@CodiumAI-Agent /review

[github-actions]

@CodiumAI-Agent /improve

[QodoAI-Agent]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review CSRF Token Assignment The assignment of CSRF.token has been commented out, so headers like "X-CSRF-Token": CSRF.token will send undefined. Ensure the token is correctly extracted (e.g., from response headers) and stored before use. // const token = response.data["X-CSRF-Token"] as string; // enable and store the token CSRF.isEnabled = true; // CSRF.token = token; } Inverted Condition The check if (!CSRF.isEnabled) appears inverted—token fetching runs only when CSRF is disabled. Confirm whether it should run when enabled, and adjust the condition accordingly. if (!CSRF.isEnabled) { if (options.method === "POST") { // use the token if it is there if (!CSRF.token) { const { response } = await get(

[QodoAI-Agent]

PR Code Suggestions ✨

Latest suggestions up to 7bd80ab

Category	Suggestion	Impact
Possible issue	Fix inverted CSRF guard The CSRF guard is inverted so headers will only be added when CSRF is disabled. Revert the condition to check for CSRF.isEnabled before attaching tokens. libs/sdk/src/api/api.ts [27] -if (!CSRF.isEnabled) { +if (CSRF.isEnabled) { Suggestion importance[1-10]: 10 __ Why: The CSRF guard condition is inverted, causing tokens to only be attached when CSRF is disabled, which breaks security logic.	High
	Restore CSRF token storage The CSRF token extraction and assignment are commented out, so no token is ever stored. Uncomment these lines to correctly capture and persist the token from system config. libs/sdk/src/api/api.ts [94-98] -// const token = response.data["X-CSRF-Token"] as string; -// CSRF.token = token; +const token = response.data["X-CSRF-Token"] as string; +CSRF.token = token; Suggestion importance[1-10]: 9 __ Why: Commenting out the token extraction and assignment means no CSRF token is ever stored, preventing protected requests from including a valid token.	High
General	Conditionally include CSRF header Guard against sending an undefined CSRF token by including the header only when CSRF.token is present. Use a conditional spread to omit the header if the token is missing. libs/sdk/src/api/api.ts [180-182] headers: { "Content-Type": "application/x-www-form-urlencoded", - "X-CSRF-Token": CSRF.token, + ...(CSRF.token && { "X-CSRF-Token": CSRF.token }), } Suggestion importance[1-10]: 6 __ Why: Using a conditional spread ensures that an undefined CSRF.token won’t produce an invalid header while still sending the Content-Type header.	Low

---

Previous suggestions

Suggestions up to commit 7bd80ab

Category	Suggestion	Impact
Possible issue	Restore CSRF token storage Uncomment the CSRF token extraction and assignment so the token is stored after fetching system config. This ensures subsequent requests include a valid CSRF token. libs/sdk/src/api/api.ts [94-98] -// const token = response.data["X-CSRF-Token"] as string; -// CSRF.token = token; +const token = response.data["X-CSRF-Token"] as string; +CSRF.token = token; Suggestion importance[1-10]: 10 __ Why: Commented-out extraction and assignment of CSRF.token means the token is never stored, preventing any subsequent CSRF-protected requests from including a valid token.	High
	Correct CSRF guard logic The condition for requesting a CSRF token was inverted, preventing token fetch on POST calls. Change the check to if (CSRF.isEnabled) so tokens are fetched when CSRF protection is active. libs/sdk/src/api/api.ts [27] -if (!CSRF.isEnabled) { +if (CSRF.isEnabled) { Suggestion importance[1-10]: 9 __ Why: The condition is inverted (!CSRF.isEnabled), so the token fetch block never runs when CSRF protection is active, breaking CSRF handling in POST requests.	High
General	Conditionally include CSRF header Guard the X-CSRF-Token header so it’s only included when a valid token exists, preventing undefined headers on requests. Use conditional spreading to include it only if CSRF.token is truthy. libs/sdk/src/api/api.ts [181] -"X-CSRF-Token": CSRF.token, +...(CSRF.token ? { "X-CSRF-Token": CSRF.token } : {}), Suggestion importance[1-10]: 6 __ Why: Guarding the header avoids sending undefined when CSRF.token is not set, which is a minor but useful improvement to request hygiene.	Low

[johbaxter]

Looks good when csrf is enabled, but makes a fetchCsrf when it is not enabled in drag and drop apps

[Paulson-Robert]

Looks good when csrf is enabled, but makes a fetchCsrf when it is not enabled in drag and drop apps

Found the fix for the above issue, pushed the changes in the same branch : 1178-csrf-debug >> commit : 20dd2a520f3085de311779221f98f3bd8a83d8e8

[github-actions]

@CodiumAI-Agent /update_changelog

[QodoAI-Agent]

Changelog updates: 🔄

2025-05-21 *

Added

• Attach CSRF tokens to SDK pixel triggers
• Add CSRF flag in environment and enable conditional fetchCSRF support

to commit the new content to the CHANGELOG.md file, please type:
'/update_changelog --pr_update_changelog.push_changelog_changes=true'