From 5e24550cacd0f80ea4ec62dab873e747b2ae86b7 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 10:52:50 -0800
Subject: fix: CSRF cookie configuration for local network access\n\n- Changed
 SameSite from Lax to None to allow cookie access across localhost/IP
 variations\n- Added Secure=false for local development (should be true in
 production with HTTPS)\n- Added credentials:'include' to all fetch requests
 to ensure cookies are sent\n- Updated tests to expect credentials parameter
 in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN
 IPs like 192.168.x.x

---
 frontend/src/components/FeedItems.test.tsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'frontend/src/components/FeedItems.test.tsx')

diff --git a/frontend/src/components/FeedItems.test.tsx b/frontend/src/components/FeedItems.test.tsx
index 6ffd026..555d8a2 100644
--- a/frontend/src/components/FeedItems.test.tsx
+++ b/frontend/src/components/FeedItems.test.tsx
@@ -106,6 +106,7 @@ describe('FeedItems Component', () => {
         expect.objectContaining({
           method: 'PUT',
           body: JSON.stringify({ read: true, starred: false }),
+          credentials: 'include',
         })
       );
     });
@@ -124,7 +125,8 @@ describe('FeedItems Component', () => {
         '/api/item/102',
         expect.objectContaining({
           method: 'PUT',
-          body: JSON.stringify({ read: true, starred: true }), // toggled to true
+          body: JSON.stringify({ read: true, starred: true }),
+          credentials: 'include', // toggled to true
         })
       );
     });
-- 
cgit v1.2.3