Skip to content

fix: compare URLs without protocols with checkOrigin: lax-proto #7865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 1, 2025
Merged

fix: compare URLs without protocols with checkOrigin: lax-proto #7865

merged 4 commits into from
Sep 1, 2025

Conversation

asaharan
Copy link
Contributor

Previously, two CSRF middlewares were added for lax-proto requests: one at the beginning and one at the end. This change replaces them with a single middleware placed at the beginning. Non-lax-proto cases remain unchanged.

What is it?

  • Bug

Description

fix behaviour of checkOrigin: "lax-proto" in createQwikCity

Checklist

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 25, 2025
edited
Loading

🦋 Changeset detected

Latest commit: cc7a14c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@builder.io/qwik-city Patch
eslint-plugin-qwik Patch
@builder.io/qwik Patch
create-qwik Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@asaharan asaharan changed the title Remove standard CSRF middleware for lax-proto and use csrfLaxProtoCheckMiddleware Replace standard CSRF middleware with csrfLaxProtoCheckMiddleware for checkOrigin: lax-proto Aug 25, 2025
gioboa
gioboa reviewed Aug 25, 2025
View reviewed changes
Copy link
Member

@gioboa gioboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your help @asaharan
Is there a specific issue with the actual code?
why are we changing it?

@asaharan
Copy link
Contributor Author

Yes @gioboa , even when I set checkOrigin to lax-proto, I get CSRF error.
ORIGIN=https://saharan.dev
Request is coming from https://saharan.dev
but there is a load balancer(say AWS ALB) in between, so it forwards x-forwarded-proto: https but still I get the CSRF error saying saying request domain https://saharan.dev doesn't match origin http://saharan.dev

lax-proto is supposed to handle this case, hence this change.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 26, 2025
edited
Loading

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview 7529a70

wmertens
wmertens previously approved these changes Aug 26, 2025
View reviewed changes
Copy link
Member

@wmertens wmertens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🌉

gioboa
gioboa requested changes Aug 26, 2025
View reviewed changes
Copy link
Member

@gioboa gioboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please test the package generated by this PR and let us know if it's working as expected on your scenario. Thanks.

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Aug 26, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/@builder.io/qwik@7865

npm i https://pkg.pr.new/@builder.io/qwik-city@7865

npm i https://pkg.pr.new/eslint-plugin-qwik@7865

npm i https://pkg.pr.new/create-qwik@7865

commit: cc7a14c

@asaharan
Remove standard CSRF middleware for lax-proto
bb30d29 
Previously, two CSRF middlewares were added for lax-proto requests: one
at the beginning and one at the end. This change replaces them with a
single middleware placed at the beginning. Non-lax-proto cases remain
unchanged.
@asaharan
Fix CSRF check for lax-proto match origin and inputOrigin after removing
a24ef39 
protocol when checkOrigin is lax-proto
@asaharan
Copy link
Contributor Author

asaharan commented Sep 1, 2025

@gioboa as csrf is being checked at the very beginning, origin contains http and not https. So, I have compare origin with inputOrigin after removing the protocol(http/https).
Have tested this on my production environment by directly modifying files inside node_modules and it's working fine over there.

gioboa
gioboa reviewed Sep 1, 2025
View reviewed changes
Copy link
Member

@gioboa gioboa left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, Thanks 👍

gioboa
gioboa reviewed Sep 1, 2025
View reviewed changes
@gioboa gioboa marked this pull request as ready for review September 1, 2025 16:34
@gioboa gioboa requested a review from a team as a code owner September 1, 2025 16:34
gioboa
gioboa approved these changes Sep 1, 2025
View reviewed changes
Copy link
Member

@gioboa gioboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your help @asaharan

@gioboa gioboa enabled auto-merge (squash) September 1, 2025 16:40
@gioboa gioboa disabled auto-merge September 1, 2025 16:41
@gioboa gioboa changed the title Replace standard CSRF middleware with csrfLaxProtoCheckMiddleware for checkOrigin: lax-proto fix: compare URLs without protocols with checkOrigin: lax-proto Sep 1, 2025
@gioboa gioboa enabled auto-merge (squash) September 1, 2025 16:44
@gioboa gioboa merged commit faecc33 into QwikDev:main Sep 1, 2025
17 checks passed
@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Merged
@shairez shairez mentioned this pull request Oct 1, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gioboa gioboa gioboa approved these changes

@wmertens wmertens wmertens left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asaharan @wmertens @gioboa