From 5e24550cacd0f80ea4ec62dab873e747b2ae86b7 Mon Sep 17 00:00:00 2001 From: Adam Mathes Date: Sat, 14 Feb 2026 10:52:50 -0800 Subject: fix: CSRF cookie configuration for local network access\n\n- Changed SameSite from Lax to None to allow cookie access across localhost/IP variations\n- Added Secure=false for local development (should be true in production with HTTPS)\n- Added credentials:'include' to all fetch requests to ensure cookies are sent\n- Updated tests to expect credentials parameter in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN IPs like 192.168.x.x --- frontend/src/components/FeedItems.test.tsx | 4 +++- frontend/src/utils.ts | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'frontend/src') diff --git a/frontend/src/components/FeedItems.test.tsx b/frontend/src/components/FeedItems.test.tsx index 6ffd026..555d8a2 100644 --- a/frontend/src/components/FeedItems.test.tsx +++ b/frontend/src/components/FeedItems.test.tsx @@ -106,6 +106,7 @@ describe('FeedItems Component', () => { expect.objectContaining({ method: 'PUT', body: JSON.stringify({ read: true, starred: false }), + credentials: 'include', }) ); }); @@ -124,7 +125,8 @@ describe('FeedItems Component', () => { '/api/item/102', expect.objectContaining({ method: 'PUT', - body: JSON.stringify({ read: true, starred: true }), // toggled to true + body: JSON.stringify({ read: true, starred: true }), + credentials: 'include', // toggled to true }) ); }); diff --git a/frontend/src/utils.ts b/frontend/src/utils.ts index 129ebbb..ebfb692 100644 --- a/frontend/src/utils.ts +++ b/frontend/src/utils.ts @@ -27,5 +27,6 @@ export async function apiFetch(input: RequestInfo | URL, init?: RequestInit): Pr return fetch(input, { ...init, headers, + credentials: 'include', // Ensure cookies are sent }); } -- cgit v1.2.3