fix: support DUMPSTER_CSRF_ORIGINS env var for LAN access
The CSRF middleware was rejecting requests from LAN IPs because cfg.Host defaults to 'localhost' which doesn't match the LAN IP. Now supports DUMPSTER_CSRF_ORIGINS env var (comma-separated list of full origins) for additional trusted origins beyond cfg.Host. Removed debug logging from CSRF middleware.
This commit is contained in:
+2
-1
@@ -6,6 +6,7 @@ import (
|
|||||||
"log/slog"
|
"log/slog"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
|
|
||||||
_ "git.dustin.coffee/hobokenchicken/dumpsterChat/docs"
|
_ "git.dustin.coffee/hobokenchicken/dumpsterChat/docs"
|
||||||
"git.dustin.coffee/hobokenchicken/dumpsterChat/internal/auth"
|
"git.dustin.coffee/hobokenchicken/dumpsterChat/internal/auth"
|
||||||
@@ -126,7 +127,7 @@ func main() {
|
|||||||
r.Group(func(r chi.Router) {
|
r.Group(func(r chi.Router) {
|
||||||
r.Use(middleware.Session(sessionStore, cfg))
|
r.Use(middleware.Session(sessionStore, cfg))
|
||||||
r.Use(middleware.RequireAuth)
|
r.Use(middleware.RequireAuth)
|
||||||
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, nil))
|
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, strings.Split(os.Getenv("DUMPSTER_CSRF_ORIGINS"), ",")))
|
||||||
|
|
||||||
// Auth (protected: me, update profile)
|
// Auth (protected: me, update profile)
|
||||||
authHandler.RegisterProtectedRoutes(r)
|
authHandler.RegisterProtectedRoutes(r)
|
||||||
|
|||||||
Reference in New Issue
Block a user