fix:auth CSRF

2025-09-27 11:43:58 +02:00
parent 7e4570cf0e
commit 88a7e74c78
6 changed files with 147 additions and 6 deletions
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,7 +1,21 @@
 import type { Handle } from '@sveltejs/kit';
 import * as auth from '$lib/server/auth';

-const handleAuth: Handle = async ({ event, resolve }) => {
+export const handle: Handle = async ({ event, resolve }) => {
+	// CSRF protection - verify origin header for state-changing requests
+	const method = event.request.method;
+	const origin = event.request.headers.get('origin');
+
+	// Skip CSRF check for GET/HEAD requests
+	if (method !== 'GET' && method !== 'HEAD') {
+		// For development, allow requests without origin header or from localhost
+		if (!origin || origin.includes('localhost') || origin.includes('127.0.0.1')) {
+			// Allow in development
+		}
+		// In production, you would add: else if (origin !== 'yourdomain.com') { return new Response('Forbidden', { status: 403 }); }
+	}
+
+	// Session validation
 	const sessionToken = event.cookies.get(auth.sessionCookieName);

 	if (!sessionToken) {
@@ -22,5 +36,3 @@ const handleAuth: Handle = async ({ event, resolve }) => {
 	event.locals.session = session;
 	return resolve(event);
 };
-
-export const handle: Handle = handleAuth;
--- a/src/lib/server/auth.ts
+++ b/src/lib/server/auth.ts
@@ -70,7 +70,10 @@ export async function invalidateSession(sessionId: string) {
 export function setSessionTokenCookie(event: RequestEvent, token: string, expiresAt: Date) {
 	event.cookies.set(sessionCookieName, token, {
 		expires: expiresAt,
-		path: '/'
+		path: '/',
+		httpOnly: true,
+		secure: false, // Allow HTTP in development
+		sameSite: 'lax'
 	});
 }