Skip to content

Replace standard CSRF middleware with csrfLaxProtoCheckMiddleware for checkOrigin: lax-proto #7865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Replace standard CSRF middleware with csrfLaxProtoCheckMiddleware for checkOrigin: lax-proto #7865

wants to merge 1 commit into from

Conversation

asaharan
Copy link

Previously, two CSRF middlewares were added for lax-proto requests: one at the beginning and one at the end. This change replaces them with a single middleware placed at the beginning. Non-lax-proto cases remain unchanged.

What is it?

  • Bug

Description

fix behaviour of checkOrigin: "lax-proto" in createQwikCity

Checklist

@asaharan
Remove standard CSRF middleware for lax-proto
7529a70 
Previously, two CSRF middlewares were added for lax-proto requests: one
at the beginning and one at the end. This change replaces them with a
single middleware placed at the beginning. Non-lax-proto cases remain
unchanged.
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 25, 2025

🦋 Changeset detected

Latest commit: 7529a70

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@builder.io/qwik-city Patch
eslint-plugin-qwik Patch
@builder.io/qwik Patch
create-qwik Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@asaharan asaharan changed the title Remove standard CSRF middleware for lax-proto and use csrfLaxProtoCheckMiddleware Replace standard CSRF middleware with csrfLaxProtoCheckMiddleware for checkOrigin: lax-proto Aug 25, 2025
gioboa
gioboa reviewed Aug 25, 2025
View reviewed changes
Copy link
Member

@gioboa gioboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your help @asaharan
Is there a specific issue with the actual code?
why are we changing it?

@asaharan
Copy link
Author

Yes @gioboa , even when I set checkOrigin to lax-proto, I get CSRF error.
ORIGIN=https://saharan.dev
Request is coming from https://saharan.dev
but there is a load balancer(say AWS ALB) in between, so it forwards x-forwarded-proto: https but still I get the CSRF error saying saying request domain https://saharan.dev doesn't match origin http://saharan.dev

lax-proto is supposed to handle this case, hence this change.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 26, 2025
edited
Loading

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview 7529a70

wmertens
wmertens approved these changes Aug 26, 2025
View reviewed changes
Copy link
Member

@wmertens wmertens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🌉

gioboa
gioboa requested changes Aug 26, 2025
View reviewed changes
Copy link
Member

@gioboa gioboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please test the package generated by this PR and let us know if it's working as expected on your scenario. Thanks.

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Aug 26, 2025

Open in StackBlitz

npm i https://pkg.pr.new/@builder.io/qwik@7865

npm i https://pkg.pr.new/@builder.io/qwik-city@7865

npm i https://pkg.pr.new/eslint-plugin-qwik@7865

npm i https://pkg.pr.new/create-qwik@7865

commit: 7529a70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gioboa gioboa gioboa requested changes

@wmertens wmertens wmertens approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@asaharan @wmertens @gioboa