From 2a5e724e0cba3bf43094c7ef1d2ef08598600554 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergio=20Casta=C3=B1o=20Arteaga?= <tegioz@icloud.com>
Date: Tue, 15 Jul 2025 10:52:38 +0200
Subject: [PATCH] Allow adding CSRF trusted origins (#4457)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Sergio Castaño Arteaga <tegioz@icloud.com>
---
 configs/hub.yaml              | 2 ++
 internal/handlers/handlers.go | 1 +
 2 files changed, 3 insertions(+)

diff --git a/configs/hub.yaml b/configs/hub.yaml
index 616be6ab..03875c7e 100644
--- a/configs/hub.yaml
+++ b/configs/hub.yaml
@@ -32,3 +32,5 @@ server:
   csrf:
     authKey: default-unsafe-key
     secure: false
+    trustedOrigins:
+      - localhost:8000
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 4e32d02e..07d313d3 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -173,6 +173,7 @@ func (h *Handlers) setupRouter() {
 			csrf.Secure(h.cfg.GetBool("server.csrf.secure")),
 			csrf.Path("/api/v1"),
 			csrf.CookieName("csrf"),
+			csrf.TrustedOrigins(h.cfg.GetStringSlice("server.csrf.trustedOrigins")),
 		))
 		r.Get("/csrf", func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Set("Cache-Control", "no-store")