From 258594f3105097880a17adb2290091df80732340 Mon Sep 17 00:00:00 2001
From: Ida Dittrich <i.dittrich@valueon.ch>
Date: Wed, 25 Feb 2026 09:00:12 +0100
Subject: [PATCH] fix: stripe callback csrf rausgenommen

---
 modules/auth/csrf.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auth/csrf.py b/modules/auth/csrf.py
index 40e33961..0266db3e 100644
--- a/modules/auth/csrf.py
+++ b/modules/auth/csrf.py
@@ -28,6 +28,7 @@ class CSRFMiddleware(BaseHTTPMiddleware):
             "/api/google/login",
             "/api/msft/callback",
             "/api/google/callback",
+            "/api/billing/webhook/stripe",  # Stripe webhook (auth via Stripe-Signature)
         }
 
         # Path prefixes exempt from CSRF (for service-to-service callbacks)