Docs: Update Astro CSRF protection (#1595)

lucia-auth · Jun 8, 2024 · aea85da · aea85da
1 parent 35634be
commit aea85da
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 22 deletions.
diff --git a/docs/pages/getting-started/astro.md b/docs/pages/getting-started/astro.md
@@ -12,6 +12,24 @@ Install Lucia using your package manager of your choice.
 npm install lucia
 ```
 
+## Enable CSRF protection
+
+Make sure you're using the latest version of Astro and enable CSRF protection.
+
+```ts
+// astro.config.js
+import { defineConfig } from "astro/config";
+
+export default defineConfig({
+ // ...
+ security: {
+ checkOrigin: true
+ }
+});
+```
+
+If you're using version below 4.9, you must [manually implement CSRF protection](https://lucia-auth.com/guides/validate-session-cookies/).
+
 ## Initialize Lucia
 
 Import `Lucia` and initialize it with your adapter. Refer to the [Database](/database) page to learn how to set up your database and initialize the adapter. Make sure to configure the `sessionCookie` option and register your `Lucia` instance type
@@ -51,16 +69,6 @@ import { verifyRequestOrigin } from "lucia";
 import { defineMiddleware } from "astro:middleware";
 
 export const onRequest = defineMiddleware(async (context, next) => {
- if (context.request.method !== "GET") {
- const originHeader = context.request.headers.get("Origin");
- const hostHeader = context.request.headers.get("Host");
- if (!originHeader || !hostHeader || !verifyRequestOrigin(originHeader, [hostHeader])) {
- return new Response(null, {
- status: 403
- });
- }
- }
-
  const sessionId = context.cookies.get(lucia.sessionCookieName)?.value ?? null;
  if (!sessionId) {
  context.locals.user = null;

diff --git a/docs/pages/guides/validate-session-cookies/astro.md b/docs/pages/guides/validate-session-cookies/astro.md
@@ -4,7 +4,19 @@ title: "Validate session cookies in Astro"
 
 # Validate session cookies in Astro
 
-**CSRF protection must be implemented when using cookies and forms.** This can be easily done by comparing the `Origin` and `Host` header.
+**CSRF protection must be implemented when using cookies and forms.** This can be easily done by updating your Astro config (available Astro 4.9+).
+
+```ts
+// astro.config.js
+import { defineConfig } from "astro/config";
+
+export default defineConfig({
+ // ...
+ security: {
+ checkOrigin: true
+ }
+});
+```
 
 We recommend creating a middleware to validate requests and store the current user inside `locals`. You can get the cookie name with `Lucia.sessionCookieName` and validate the session cookie with `Lucia.validateSession()`. Make sure to delete the session cookie if it's invalid and create a new session cookie when the expiration gets extended, which is indicated by `Session.fresh`.
 
@@ -15,17 +27,6 @@ import { verifyRequestOrigin } from "lucia";
 import { defineMiddleware } from "astro:middleware";
 
 export const onRequest = defineMiddleware(async (context, next) => {
- if (context.request.method !== "GET") {
- const originHeader = request.headers.get("Origin");
- // NOTE: You may need to use `X-Forwarded-Host` instead
- const hostHeader = request.headers.get("Host");
- if (!originHeader || !hostHeader || !verifyRequestOrigin(originHeader, [hostHeader])) {
- return new Response(null, {
- status: 403
- });
- }
- }
-
  const sessionId = context.cookies.get(lucia.sessionCookieName)?.value ?? null;
  if (!sessionId) {
  context.locals.user = null;