fix: support DUMPSTER_CSRF_ORIGINS env var for LAN access
The CSRF middleware was rejecting requests from LAN IPs because cfg.Host defaults to 'localhost' which doesn't match the LAN IP. Now supports DUMPSTER_CSRF_ORIGINS env var (comma-separated list of full origins) for additional trusted origins beyond cfg.Host. Removed debug logging from CSRF middleware.
This commit is contained in:
+2
-1
@@ -6,6 +6,7 @@ import (
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
_ "git.dustin.coffee/hobokenchicken/dumpsterChat/docs"
|
||||
"git.dustin.coffee/hobokenchicken/dumpsterChat/internal/auth"
|
||||
@@ -126,7 +127,7 @@ func main() {
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(middleware.Session(sessionStore, cfg))
|
||||
r.Use(middleware.RequireAuth)
|
||||
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, nil))
|
||||
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, strings.Split(os.Getenv("DUMPSTER_CSRF_ORIGINS"), ",")))
|
||||
|
||||
// Auth (protected: me, update profile)
|
||||
authHandler.RegisterProtectedRoutes(r)
|
||||
|
||||
Reference in New Issue
Block a user