fix: CSRF middleware now trusts origin hostname match instead of exact prefix

The old CSRF middleware used exact string matching against a static list
of origins (https://host, http://localhost:port). This broke when the
frontend ran on a different port (Vite dev server) or accessed via LAN IP.

New behavior:
- Origin hostname matching: any Origin whose hostname matches cfg.Host
  is trusted, regardless of scheme or port
- Localhost variants always trusted: localhost, 127.0.0.1, ::1
- Additional origins can be passed explicitly (future env var support)
This commit is contained in:
2026-06-29 12:57:52 -04:00
parent 3f33859f4a
commit 5c7e461dad
2 changed files with 66 additions and 7 deletions
+1 -1
View File
@@ -126,7 +126,7 @@ func main() {
r.Group(func(r chi.Router) {
r.Use(middleware.Session(sessionStore, cfg))
r.Use(middleware.RequireAuth)
r.Use(middleware.CSRFProtect([]string{"https://" + cfg.Host, "http://localhost:" + cfg.Port}))
r.Use(middleware.CSRFProtect(cfg.Host, cfg.Port, nil))
// Auth (protected: me, update profile)
authHandler.RegisterProtectedRoutes(r)