@mantiq/core 0.5.9 → 0.5.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/core",
-  "version": "0.5.9",
+  "version": "0.5.11",
   "description": "Service container, router, middleware, HTTP kernel, config, and exception handler",
   "type": "module",
   "license": "MIT",

package/src/middleware/EncryptCookies.ts

@@ -43,7 +43,9 @@ export class EncryptCookies implements Middleware {
       }
 
       try {
-        decrypted[name] = await this.encrypter.decrypt(value)
+        // Cookie values may be URL-encoded (= → %3D) — decode before decrypting
+        const decoded = decodeURIComponent(value)
+        decrypted[name] = await this.encrypter.decrypt(decoded)
       } catch {
         // Can't decrypt — skip this cookie (expired key, tampered, etc.)
         decrypted[name] = value

package/src/middleware/VerifyCsrfToken.ts

@@ -74,16 +74,12 @@ export class VerifyCsrfToken implements Middleware {
     const csrfHeader = request.header('x-csrf-token')
     if (csrfHeader) return csrfHeader
 
-    // 3. Check X-XSRF-TOKEN header (encrypted, from cookie)
+    // 3. Check X-XSRF-TOKEN header (plain token from XSRF-TOKEN cookie)
+    // XSRF-TOKEN cookie is excluded from EncryptCookies so JS can read it.
+    // The value is the raw session token — no decryption needed.
     const xsrfHeader = request.header('x-xsrf-token')
     if (xsrfHeader) {
-      try {
-        // Cookie values may be URL-encoded — decode before decrypting
-        const decoded = decodeURIComponent(xsrfHeader)
-        return await this.encrypter.decrypt(decoded)
-      } catch {
-        return null
-      }
+      return decodeURIComponent(xsrfHeader)
     }
 
     return null