From 118155d737d66e36815859a9e6fdb87938cfe373 Mon Sep 17 00:00:00 2001 From: hobokenchicken Date: Mon, 29 Jun 2026 13:20:07 -0400 Subject: [PATCH] fix: support DUMPSTER_CSRF_ORIGINS env var for LAN access The CSRF middleware was rejecting requests from LAN IPs because cfg.Host defaults to 'localhost' which doesn't match the LAN IP. Now supports DUMPSTER_CSRF_ORIGINS env var (comma-separated list of full origins) for additional trusted origins beyond cfg.Host. Removed debug logging from CSRF middleware. --- cmd/server/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/server/main.go b/cmd/server/main.go index 0d61ab5..70b253d 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -6,6 +6,7 @@ import ( "log/slog" "net/http" "os" + "strings" _ "git.dustin.coffee/hobokenchicken/dumpsterChat/docs" "git.dustin.coffee/hobokenchicken/dumpsterChat/internal/auth" @@ -126,7 +127,7 @@ func main() { r.Group(func(r chi.Router) { r.Use(middleware.Session(sessionStore, cfg)) r.Use(middleware.RequireAuth) - r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, nil)) + r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, strings.Split(os.Getenv("DUMPSTER_CSRF_ORIGINS"), ","))) // Auth (protected: me, update profile) authHandler.RegisterProtectedRoutes(r)