diff --git a/docs/pages/getting-started/astro.md b/docs/pages/getting-started/astro.md index b24ab5bae..8ee2bb116 100644 --- a/docs/pages/getting-started/astro.md +++ b/docs/pages/getting-started/astro.md @@ -12,6 +12,24 @@ Install Lucia using your package manager of your choice. npm install lucia ``` +## Enable CSRF protection + +Make sure you're using the latest version of Astro and enable CSRF protection. + +```ts +// astro.config.js +import { defineConfig } from "astro/config"; + +export default defineConfig({ + // ... + security: { + checkOrigin: true + } +}); +``` + +If you're using version below 4.9, you must [manually implement CSRF protection](https://lucia-auth.com/guides/validate-session-cookies/). + ## Initialize Lucia Import `Lucia` and initialize it with your adapter. Refer to the [Database](/database) page to learn how to set up your database and initialize the adapter. Make sure to configure the `sessionCookie` option and register your `Lucia` instance type @@ -51,16 +69,6 @@ import { verifyRequestOrigin } from "lucia"; import { defineMiddleware } from "astro:middleware"; export const onRequest = defineMiddleware(async (context, next) => { - if (context.request.method !== "GET") { - const originHeader = context.request.headers.get("Origin"); - const hostHeader = context.request.headers.get("Host"); - if (!originHeader || !hostHeader || !verifyRequestOrigin(originHeader, [hostHeader])) { - return new Response(null, { - status: 403 - }); - } - } - const sessionId = context.cookies.get(lucia.sessionCookieName)?.value ?? null; if (!sessionId) { context.locals.user = null; diff --git a/docs/pages/guides/validate-session-cookies/astro.md b/docs/pages/guides/validate-session-cookies/astro.md index 768b468d8..f9616d970 100644 --- a/docs/pages/guides/validate-session-cookies/astro.md +++ b/docs/pages/guides/validate-session-cookies/astro.md @@ -4,7 +4,19 @@ title: "Validate session cookies in Astro" # Validate session cookies in Astro -**CSRF protection must be implemented when using cookies and forms.** This can be easily done by comparing the `Origin` and `Host` header. +**CSRF protection must be implemented when using cookies and forms.** This can be easily done by updating your Astro config (available Astro 4.9+). + +```ts +// astro.config.js +import { defineConfig } from "astro/config"; + +export default defineConfig({ + // ... + security: { + checkOrigin: true + } +}); +``` We recommend creating a middleware to validate requests and store the current user inside `locals`. You can get the cookie name with `Lucia.sessionCookieName` and validate the session cookie with `Lucia.validateSession()`. Make sure to delete the session cookie if it's invalid and create a new session cookie when the expiration gets extended, which is indicated by `Session.fresh`. @@ -15,17 +27,6 @@ import { verifyRequestOrigin } from "lucia"; import { defineMiddleware } from "astro:middleware"; export const onRequest = defineMiddleware(async (context, next) => { - if (context.request.method !== "GET") { - const originHeader = request.headers.get("Origin"); - // NOTE: You may need to use `X-Forwarded-Host` instead - const hostHeader = request.headers.get("Host"); - if (!originHeader || !hostHeader || !verifyRequestOrigin(originHeader, [hostHeader])) { - return new Response(null, { - status: 403 - }); - } - } - const sessionId = context.cookies.get(lucia.sessionCookieName)?.value ?? null; if (!sessionId) { context.locals.user = null;