fix: CSRF cookie configuration for local network access\n\n- Changed SameSite from Lax to None to allow cookie access across localhost/IP variations\n- Added Secure=false for local development (should be true in production with HTTPS)\n- Added credentials:'include' to all fetch requests to ensure cookies are sent\n- Updated tests to expect credentials parameter in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN IPs like 192.168.x.x

2 files changed, 4 insertions, 1 deletions

diff --git a/frontend/src/components/FeedItems.test.tsx b/frontend/src/components/FeedItems.test.tsx
index 6ffd026..555d8a2 100644
--- a/frontend/src/components/FeedItems.test.tsx
+++ b/frontend/src/components/FeedItems.test.tsx
@@ -106,6 +106,7 @@ describe('FeedItems Component', () => {
         expect.objectContaining({
           method: 'PUT',
           body: JSON.stringify({ read: true, starred: false }),
+          credentials: 'include',
         })
       );
     });
@@ -124,7 +125,8 @@ describe('FeedItems Component', () => {
         '/api/item/102',
         expect.objectContaining({
           method: 'PUT',
-          body: JSON.stringify({ read: true, starred: true }), // toggled to true
+          body: JSON.stringify({ read: true, starred: true }),
+          credentials: 'include', // toggled to true
         })
       );
     });
diff --git a/frontend/src/utils.ts b/frontend/src/utils.ts
index 129ebbb..ebfb692 100644
--- a/frontend/src/utils.ts
+++ b/frontend/src/utils.ts
@@ -27,5 +27,6 @@ export async function apiFetch(input: RequestInfo | URL, init?: RequestInit): Pr
     return fetch(input, {
         ...init,
         headers,
+        credentials: 'include', // Ensure cookies are sent
     });
 }