till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-17 05:59:39 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/memoro/apps/web/src/hooks.server.ts
Till-JS e7f5f942f3 chore: initial commit - consolidate 4 projects into monorepo 
Projects included:
- maerchenzauber (NestJS backend + Expo mobile + SvelteKit web + Astro landing)
- manacore (Expo mobile + SvelteKit web + Astro landing)
- manadeck (NestJS backend + Expo mobile + SvelteKit web)
- memoro (Expo mobile + SvelteKit web + Astro landing)

This commit preserves the current state before monorepo restructuring.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 23:38:24 +01:00

48 lines
1.4 KiB
TypeScript
Raw Blame History

/**
* Server-side hooks for SvelteKit
* Implements custom CSRF protection that allows OAuth callbacks
*/
import type { Handle } from '@sveltejs/kit';
// Routes that are allowed to receive cross-origin POST requests
// (OAuth callbacks from external providers)
const ALLOWED_PATHS = [
'/auth/apple-callback-handler', // Apple Sign-In OAuth callback (server endpoint)
'/auth/apple-callback', // Apple Sign-In OAuth callback (legacy/fallback)
'/auth/google-callback' // Google Sign-In OAuth callback (if needed)
];
/**
* Custom CSRF protection that allows specific OAuth callback routes
* while protecting all other routes
*/
export const handle: Handle = async ({ event, resolve }) => {
const { request, url } = event;
// Only check POST, PATCH, PUT, DELETE requests
if (['POST', 'PATCH', 'PUT', 'DELETE'].includes(request.method)) {
const origin = request.headers.get('origin');
const forbidden =
origin !== null &&
origin !== url.origin &&
!ALLOWED_PATHS.some((path) => url.pathname === path);
if (forbidden) {
// Log the blocked request for debugging
console.warn('CSRF: Blocked cross-origin request:', {
method: request.method,
path: url.pathname,
origin: origin,
expectedOrigin: url.origin
});
return new Response('Cross-site POST form submissions are forbidden', {
status: 403
});
}
}
// Allow the request to proceed
return resolve(event);
};
Reference in a new issue View git blame Copy permalink