fix: CSRF middleware now trusts origin hostname match instead of exact prefix
The old CSRF middleware used exact string matching against a static list of origins (https://host, http://localhost:port). This broke when the frontend ran on a different port (Vite dev server) or accessed via LAN IP. New behavior: - Origin hostname matching: any Origin whose hostname matches cfg.Host is trusted, regardless of scheme or port - Localhost variants always trusted: localhost, 127.0.0.1, ::1 - Additional origins can be passed explicitly (future env var support)
This commit is contained in:
+1
-1
@@ -126,7 +126,7 @@ func main() {
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(middleware.Session(sessionStore, cfg))
|
||||
r.Use(middleware.RequireAuth)
|
||||
r.Use(middleware.CSRFProtect([]string{"https://" + cfg.Host, "http://localhost:" + cfg.Port}))
|
||||
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, nil))
|
||||
|
||||
// Auth (protected: me, update profile)
|
||||
authHandler.RegisterProtectedRoutes(r)
|
||||
|
||||
Reference in New Issue
Block a user