From d92ef72a1f9f33ef09fb548b90ba857eac008b63 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Mar 2026 13:02:31 +0000 Subject: [PATCH 1/2] Bump fastapi from 0.133.0 to 0.135.0 Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.133.0 to 0.135.0. - [Release notes](https://github.com/fastapi/fastapi/releases) - [Commits](https://github.com/fastapi/fastapi/compare/0.133.0...0.135.0) --- updated-dependencies: - dependency-name: fastapi dependency-version: 0.135.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Pipfile | 2 +- Pipfile.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Pipfile b/Pipfile index 0c72b53e..68486a4c 100644 --- a/Pipfile +++ b/Pipfile @@ -4,7 +4,7 @@ verify_ssl = true name = "pypi" [packages] -fastapi = "~=0.133.0" +fastapi = "~=0.135.0" uvicorn = "~=0.41.0" litellm = "~=1.81.15" falkordb = "~=1.6.0" diff --git a/Pipfile.lock b/Pipfile.lock index a6590a20..4e07acc4 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "d5a1352a56f59b2f5adf844f91e6ac73b1726ffcac0e4beede069e0e281a06d8" + "sha256": "01cd256299ee7875a03eb7bbb48362e405c0c38e359c227ba49ba1221d4bae1f" }, "pipfile-spec": 6, "requires": { @@ -604,12 +604,12 @@ }, "fastapi": { "hashes": [ - "sha256:0a78878483d60702a1dde864c24ab349a1a53ef4db6b6f74f8cd4a2b2bc67d2f", - "sha256:b900a2bf5685cdb0647a41d5900bdeafc3a9e8a28ac08c6246b76699e164d60d" + "sha256:31e2ddc78d6406c6f7d5d7b9996a057985e2600fbe7e9ba6ace8205d48dff688", + "sha256:bd37903acf014d1284bda027096e460814dca9699f9dacfe11c275749d949f4d" ], "index": "pypi", "markers": "python_version >= '3.10'", - "version": "==0.133.0" + "version": "==0.135.0" }, "fastmcp": { "hashes": [ From 4258045c7257d3b1d3aabf2fb8aeb74b7d5119b1 Mon Sep 17 00:00:00 2001 From: Guy Korland Date: Mon, 2 Mar 2026 10:57:48 +0200 Subject: [PATCH 2/2] fix(e2e): read CSRF token from storageState when Set-Cookie is absent When the Playwright request fixture is initialised from a storageState that already carries a csrf_token cookie, the server does not emit a new Set-Cookie header. getCsrfToken() would then return undefined, causing every state-changing API call to fail with 403 'CSRF token missing or invalid'. Fall back to reading the token from the context's storageState() when the Set-Cookie header does not contain it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- e2e/infra/api/apiRequests.ts | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/e2e/infra/api/apiRequests.ts b/e2e/infra/api/apiRequests.ts index ef0e8bd0..babed7a5 100644 --- a/e2e/infra/api/apiRequests.ts +++ b/e2e/infra/api/apiRequests.ts @@ -24,6 +24,11 @@ const csrfCache = new WeakMap(); /** * Seed the CSRF cookie on the given request context by making a lightweight * GET (only on the first call), then return the cached token value. + * + * When the context is initialised from a storageState that already contains + * a csrf_token cookie, the server will NOT set a new one (no Set-Cookie + * header). In that case we fall back to reading the cookie value that is + * already stored in the context. */ async function getCsrfToken(baseUrl: string, ctx: APIRequestContext): Promise { const cached = csrfCache.get(ctx); @@ -33,7 +38,16 @@ async function getCsrfToken(baseUrl: string, ctx: APIRequestContext): Promise h.name.toLowerCase() === 'set-cookie') .map(h => h.value); - const token = extractCsrfToken(setCookies); + let token = extractCsrfToken(setCookies); + + // If the server didn't set a new cookie, the context may already carry one + // from its storageState – read it directly. + if (!token) { + const state = await ctx.storageState(); + const existing = state.cookies.find(c => c.name === 'csrf_token'); + if (existing) token = existing.value; + } + if (token) csrfCache.set(ctx, token); return token; }