B4L/buildfor_life_repair
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace SvelteKit CSRF with custom multi-origin check
Deploy to LXC / deploy (push) Successful in 19s
Details

Browse Source 
SvelteKit's built-in CSRF only allows one origin, breaking access via
NetBird/Yggdrasil/Tor IPs. Now:
- Disabled checkOrigin in svelte.config.js
- Custom CSRF in hooks.server.ts checks Origin against ALLOWED_ORIGINS
- ALLOWED_ORIGINS env var: comma-separated list of trusted origins
- Caddy no longer needs to rewrite Host/Origin headers
- Each access method (public domain, NetBird IP, Yggdrasil, Tor onion)
  just needs its URL added to ALLOWED_ORIGINS

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Alexander Grabowski
2026-04-13 14:23:02 +07:00
parent dbc140c1f9
commit 0ceee55f9b
4 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/caddy-reverse-proxy.md
+2 -3
View File
@@ -19,7 +19,7 @@ Tor ──► .onion ──► tor ──► :8880 ──┤
└─────────────────────────────────┘
```
All routes inject `Host: collection.newedge.house` so SvelteKit CSRF passes.
CSRF is handled by the app via `ALLOWED_ORIGINS` env var — no header rewriting needed.
## 1. Install Caddy and Tor
@@ -75,8 +75,6 @@ Edit `/etc/caddy/Caddyfile`:
(proxy) {
reverse_proxy 127.0.0.1:3000 {
header_up Host collection.newedge.house
header_up Origin https://collection.newedge.house
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto https
@@ -164,6 +162,7 @@ HOST=127.0.0.1
PORT=3000
ORIGIN=https://collection.newedge.house
BASE_URL=https://collection.newedge.house
ALLOWED_ORIGINS=https://collection.newedge.house,http://100.x.x.x,http://[200:xxxx:...],http://your-onion.onion
```
systemd service: