fix: support DUMPSTER_CSRF_ORIGINS env var for LAN access

The CSRF middleware was rejecting requests from LAN IPs because
cfg.Host defaults to 'localhost' which doesn't match the LAN IP.

Now supports DUMPSTER_CSRF_ORIGINS env var (comma-separated list of
full origins) for additional trusted origins beyond cfg.Host.

Removed debug logging from CSRF middleware.
This commit is contained in:
2026-06-29 13:20:07 -04:00
parent 5c7e461dad
commit 118155d737
+2 -1
View File
@@ -6,6 +6,7 @@ import (
"log/slog" "log/slog"
"net/http" "net/http"
"os" "os"
"strings"
_ "git.dustin.coffee/hobokenchicken/dumpsterChat/docs" _ "git.dustin.coffee/hobokenchicken/dumpsterChat/docs"
"git.dustin.coffee/hobokenchicken/dumpsterChat/internal/auth" "git.dustin.coffee/hobokenchicken/dumpsterChat/internal/auth"
@@ -126,7 +127,7 @@ func main() {
r.Group(func(r chi.Router) { r.Group(func(r chi.Router) {
r.Use(middleware.Session(sessionStore, cfg)) r.Use(middleware.Session(sessionStore, cfg))
r.Use(middleware.RequireAuth) r.Use(middleware.RequireAuth)
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, nil)) r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, strings.Split(os.Getenv("DUMPSTER_CSRF_ORIGINS"), ",")))
// Auth (protected: me, update profile) // Auth (protected: me, update profile)
authHandler.RegisterProtectedRoutes(r) authHandler.RegisterProtectedRoutes(r)