From 0a9347cdd21420923a68a334233e7022ad5bd444 Mon Sep 17 00:00:00 2001
From: patrick-motsch <p.motsch@valueon.ch>
Date: Fri, 13 Feb 2026 12:37:22 +0100
Subject: [PATCH] fixed routes exceptions for teams com

---
 modules/auth/csrf.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/modules/auth/csrf.py b/modules/auth/csrf.py
index eca69113..c29d6aec 100644
--- a/modules/auth/csrf.py
+++ b/modules/auth/csrf.py
@@ -27,8 +27,13 @@ class CSRFMiddleware(BaseHTTPMiddleware):
             "/api/msft/login",
             "/api/google/login",
             "/api/msft/callback",
-            "/api/google/callback"
+            "/api/google/callback",
         }
+
+        # Path prefixes exempt from CSRF (for service-to-service callbacks)
+        self._exemptPrefixes = [
+            "/api/teamsbot/",  # .NET Media Bridge callbacks (bridge/status, bridge/audio)
+        ]
         
         # State-changing HTTP methods that require CSRF protection
         self.protected_methods = {"POST", "PUT", "DELETE", "PATCH"}
@@ -37,9 +42,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
         """
         Check CSRF token for state-changing operations.
         """
-        # Skip CSRF check for exempt paths
+        # Skip CSRF check for exempt paths (exact match)
         if request.url.path in self.exempt_paths:
             return await call_next(request)
+
+        # Skip CSRF check for exempt path prefixes (bridge callbacks etc.)
+        if any(request.url.path.startswith(p) for p in self._exemptPrefixes):
+            if "/bridge/" in request.url.path:
+                return await call_next(request)
         
         # Skip CSRF check for non-state-changing methods
         if request.method not in self.protected_methods: