aboutsummaryrefslogtreecommitdiffstats
path: root/web/web.go
diff options
context:
space:
mode:
Diffstat (limited to 'web/web.go')
-rw-r--r--web/web.go10
1 files changed, 7 insertions, 3 deletions
diff --git a/web/web.go b/web/web.go
index 997a05a..bb11d60 100644
--- a/web/web.go
+++ b/web/web.go
@@ -380,11 +380,15 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
}
path := strings.TrimSuffix(r.URL.Path, "/")
- isExcluded := path == "/api/login" || path == "/login" || path == "/api/logout"
+ isExcluded := path == "/api/login" || path == "/api/logout"
if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && !isExcluded {
- headerToken := r.Header.Get("X-CSRF-Token")
- if headerToken == "" || headerToken != token {
+ // Accept token from header (JS clients) or form field (HTML forms)
+ submittedToken := r.Header.Get("X-CSRF-Token")
+ if submittedToken == "" {
+ submittedToken = r.FormValue("csrf_token")
+ }
+ if submittedToken == "" || submittedToken != token {
http.Error(w, "CSRF token mismatch", http.StatusForbidden)
return
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-25 17:29:38 +0000