ensure dev server bypasses CSRF

Emyrk · Emyrk · commit b1c560fff6ca · 2023-12-19T14:02:03.000-06:00
diff --git a/site/vite.config.ts b/site/vite.config.ts
@@ -38,6 +38,17 @@ export default defineConfig({
   },
   server: {
     port: process.env.PORT ? Number(process.env.PORT) : 8080,
+    headers: {
+      // This header corresponds to "src/api/api.ts"'s hardcoded FE token.
+      // This is the secret side of the CSRF double cookie submit method.
+      // This should be sent on **every** response from the webserver.
+      //
+      // This is required because in production, the Golang webserver generates
+      // this "Set-Cookie" header. The Vite webserver needs to replicate this
+      // behavior. Instead of implementing CSRF though, we just use static
+      // values for simplicity.
+      "Set-Cookie":  "csrf_token=JXm9hOUdZctWt0ZZGAy9xiS/gxMKYOThdxjjMnMUyn4=; Path=/; HttpOnly; SameSite=Lax",
+    },
     proxy: {
       "/api": {
         ws: true,
