From 701e0e8e919d2929ecc98b555e468bd29bf606cf Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 15:44:02 -0800
Subject: Cleanup root directory by moving scripts to scripts/ and fix CSRF
 cookie policy for dev env

---
 web/web.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'web')

diff --git a/web/web.go b/web/web.go
index 29c3d2c..148cf75 100644
--- a/web/web.go
+++ b/web/web.go
@@ -382,14 +382,14 @@ func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
 				Value:    token,
 				Path:     "/",
 				HttpOnly: false, // accessible by JS
-				SameSite: http.SameSiteNoneMode,
+				SameSite: http.SameSiteLaxMode,
 				Secure:   cfg.SecureCookies,
 			})
 		} else {
 			token = cookie.Value
 		}
 
-		if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete {
+		if (r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete) && r.URL.Path != "/api/login" {
 			headerToken := r.Header.Get("X-CSRF-Token")
 			if headerToken == "" || headerToken != token {
 				http.Error(w, "CSRF token mismatch", http.StatusForbidden)
-- 
cgit v1.2.3