Cleanup root directory by moving scripts to scripts/ and fix CSRF cookie policy for dev env

author: Adam Mathes <adam@adammathes.com> 2026-02-14 15:44:02 -0800
committer: Adam Mathes <adam@adammathes.com> 2026-02-14 15:44:02 -0800
commit: 701e0e8e919d2929ecc98b555e468bd29bf606cf (patch)
tree: e78856b8ffc83406499b34bb7fdf0892dd2ce6b4 /web/web.go
parent: 17fd19c8f822ff84b1855d7729a3030ebf1f68ae (diff)
download: neko-701e0e8e919d2929ecc98b555e468bd29bf606cf.tar.gz
neko-701e0e8e919d2929ecc98b555e468bd29bf606cf.tar.bz2
neko-701e0e8e919d2929ecc98b555e468bd29bf606cf.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/web/web.go b/web/web.go
index 29c3d2c..148cf75 100644
--- a/web/web.go
+++ b/web/web.go
@@ -382,14 +382,14 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
 				Value:    token,
 				Path:     "/",
 				HttpOnly: false, // accessible by JS
-				SameSite: http.SameSiteNoneMode,
+				SameSite: http.SameSiteLaxMode,
 				Secure:   cfg.SecureCookies,
 			})
 		} else {
 			token = cookie.Value
 		}
 
-		if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete {
+		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" {
 			headerToken := r.Header.Get("X-CSRF-Token")
 			if headerToken == "" || headerToken != token {
 				http.Error(w, "CSRF token mismatch", http.StatusForbidden)
author	Adam Mathes <adam@adammathes.com>	2026-02-14 15:44:02 -0800
committer	Adam Mathes <adam@adammathes.com>	2026-02-14 15:44:02 -0800
commit	701e0e8e919d2929ecc98b555e468bd29bf606cf (patch)
tree	e78856b8ffc83406499b34bb7fdf0892dd2ce6b4 /web/web.go
parent	17fd19c8f822ff84b1855d7729a3030ebf1f68ae (diff)
download	neko-701e0e8e919d2929ecc98b555e468bd29bf606cf.tar.gz neko-701e0e8e919d2929ecc98b555e468bd29bf606cf.tar.bz2 neko-701e0e8e919d2929ecc98b555e468bd29bf606cf.zip