State-changing requests across the Studio surfaces are now uniformly protected against cross-site request forgery. The documentation surface, previously outside the CSRF filter, is brought to parity with the application editor and console clients, and an expired session now recovers through a re-login flow instead of failing on the next request.
Documentation surface brought to parity
- Filter coverage extended. The CSRF filter, previously mapped only to the editor and console paths, now covers the documentation paths, so their state-changing requests are validated like every other surface.
- Full token round-trip. The server injects the token into the served page and the client returns it on every request through a shared token service and a retry adapter that transparently renews a stale token and replays a rejected request once.
Session re-login and token renewal
- Re-login dialog. An unauthorized response now opens a login dialog and renews the token on success, where previously the event was published but nothing surfaced it, so a re-login would fail on subsequent requests.
- Cross-tab synchronisation. The refreshed token is broadcast across browser tabs, and a focus health check awaits token readiness before resuming, so a session restored in one tab is honoured in the others.
The change is defensive and backward-compatible: clients that already carried a token continue unchanged, while the surfaces that lacked the full round-trip now close the gap.