till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-15 13:21:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/apps-archived/memoro/apps/web/src/hooks.server.ts
Till-JS 61d181fbc2 chore: archive inactive projects to apps-archived/ 
Move inactive projects out of active workspace:
- bauntown (community website)
- maerchenzauber (AI story generation)
- memoro (voice memo app)
- news (news aggregation)
- nutriphi (nutrition tracking)
- reader (reading app)
- uload (URL shortener)
- wisekeep (AI wisdom extraction)

Update CLAUDE.md documentation:
- Add presi to active projects
- Document archived projects section
- Update workspace configuration

Archived apps can be re-activated by moving back to apps/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-29 07:03:59 +01:00

48 lines
1.4 KiB
TypeScript
Raw Permalink Blame History

/**
* Server-side hooks for SvelteKit
* Implements custom CSRF protection that allows OAuth callbacks
*/
import type { Handle } from '@sveltejs/kit';
// Routes that are allowed to receive cross-origin POST requests
// (OAuth callbacks from external providers)
const ALLOWED_PATHS = [
'/auth/apple-callback-handler', // Apple Sign-In OAuth callback (server endpoint)
'/auth/apple-callback', // Apple Sign-In OAuth callback (legacy/fallback)
'/auth/google-callback', // Google Sign-In OAuth callback (if needed)
];
/**
* Custom CSRF protection that allows specific OAuth callback routes
* while protecting all other routes
*/
export const handle: Handle = async ({ event, resolve }) => {
const { request, url } = event;
// Only check POST, PATCH, PUT, DELETE requests
if (['POST', 'PATCH', 'PUT', 'DELETE'].includes(request.method)) {
const origin = request.headers.get('origin');
const forbidden =
origin !== null &&
origin !== url.origin &&
!ALLOWED_PATHS.some((path) => url.pathname === path);
if (forbidden) {
// Log the blocked request for debugging
console.warn('CSRF: Blocked cross-origin request:', {
method: request.method,
path: url.pathname,
origin: origin,
expectedOrigin: url.origin,
});
return new Response('Cross-site POST form submissions are forbidden', {
status: 403,
});
}
}
// Allow the request to proceed
return resolve(event);
};
Reference in a new issue View git blame Copy permalink