fix: CSRF cookie configuration for local network access\n\n- Changed SameSite from Lax to None to allow cookie access across localhost/IP variations\n- Added Secure=false for local development (should be true in production with HTTPS)\n- Added credentials:'include' to all fetch requests to ensure cookies are sent\n- Updated tests to expect credentials parameter in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN IPs like 192.168.x.x

author: Adam Mathes <adam@adammathes.com> 2026-02-14 10:52:50 -0800
committer: Adam Mathes <adam@adammathes.com> 2026-02-14 10:52:50 -0800
commit: 5e24550cacd0f80ea4ec62dab873e747b2ae86b7 (patch)
tree: c2666291bb48eb930e0254de8cde2c7108be7f79 /web/web.go
parent: 419d84d2a8e84d028b145df57d1584a3fe163b37 (diff)
download: neko-5e24550cacd0f80ea4ec62dab873e747b2ae86b7.tar.gz
neko-5e24550cacd0f80ea4ec62dab873e747b2ae86b7.tar.bz2
neko-5e24550cacd0f80ea4ec62dab873e747b2ae86b7.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/web/web.go b/web/web.go
index ffec8b9..d8dd832 100644
--- a/web/web.go
+++ b/web/web.go
@@ -373,7 +373,8 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 				Value:    token,
 				Path:     "/",
 				HttpOnly: false, // accessible by JS
-				SameSite: http.SameSiteLaxMode,
+				SameSite: http.SameSiteNoneMode,
+				Secure:   false, // Set to true in production with HTTPS
 			})
 		} else {
 			token = cookie.Value
author	Adam Mathes <adam@adammathes.com>	2026-02-14 10:52:50 -0800
committer	Adam Mathes <adam@adammathes.com>	2026-02-14 10:52:50 -0800
commit	5e24550cacd0f80ea4ec62dab873e747b2ae86b7 (patch)
tree	c2666291bb48eb930e0254de8cde2c7108be7f79 /web/web.go
parent	419d84d2a8e84d028b145df57d1584a3fe163b37 (diff)
download	neko-5e24550cacd0f80ea4ec62dab873e747b2ae86b7.tar.gz neko-5e24550cacd0f80ea4ec62dab873e747b2ae86b7.tar.bz2 neko-5e24550cacd0f80ea4ec62dab873e747b2ae86b7.zip