The latest lucia v3 beta split authRequest verification into separate functions. In updating, I followed their hono guide too closely - https://v3.lucia-auth.com/guides/validate-session-cookies/hono. The wildcard csrf middleware was failing with requests from the native app.
Restored the previous functionality which only applied the CSRF check when validating a cooke session. If it fails, it skips loading the session but does not return a 403 error. If the x-enable-tokens header is detected, it uses the bearer token for the session ID and should no longer add set-cookie headers in the response.
The latest lucia v3 beta split authRequest verification into separate functions. In updating, I followed their hono guide too closely - https://v3.lucia-auth.com/guides/validate-session-cookies/hono. The wildcard csrf middleware was failing with requests from the native app.
Restored the previous functionality which only applied the CSRF check when validating a cooke session. If it fails, it skips loading the session but does not return a 403 error. If the x-enable-tokens header is detected, it uses the bearer token for the session ID and should no longer add set-cookie headers in the response.