Describe the bug
fetchCsrfTokenServer.ts uses fetch() without explicitly disabling caching. In Next.js App Router, server-side fetch() calls are cached by default unless configured otherwise.
This may cause the CSRF token response to be cached and reused across multiple requests, leading to intermittent CSRF validation failures due to stale or reused tokens.
To Reproduce
Steps to reproduce the behavior:
Trigger a server-side request that calls fetchCsrfTokenServer.ts
Perform multiple authenticated form submissions in sequence
Observe intermittent CSRF validation failures
Inspect network/server logs to notice reused CSRF token responses
Expected behavior
Each request to fetch a CSRF token should return a fresh, non-cached token. The server should not reuse previously fetched CSRF tokens across requests.
Are you going to work on fixing this?
Yes
Describe the bug
fetchCsrfTokenServer.ts uses fetch() without explicitly disabling caching. In Next.js App Router, server-side fetch() calls are cached by default unless configured otherwise.
This may cause the CSRF token response to be cached and reused across multiple requests, leading to intermittent CSRF validation failures due to stale or reused tokens.
To Reproduce
Steps to reproduce the behavior:
Trigger a server-side request that calls fetchCsrfTokenServer.ts
Perform multiple authenticated form submissions in sequence
Observe intermittent CSRF validation failures
Inspect network/server logs to notice reused CSRF token responses
Expected behavior
Each request to fetch a CSRF token should return a fresh, non-cached token. The server should not reuse previously fetched CSRF tokens across requests.
Are you going to work on fixing this?
Yes