timothymiller
commented
6 months ago Any situations we wouldn't set enableTokens to true?
Closed rmarscher closed 6 months ago
timothymiller
commented
6 months ago Any situations we wouldn't set enableTokens to true?
timothymiller
commented
6 months ago I'm going to merge this though, I expect us to make further changes with it.
The latest lucia v3 beta split authRequest verification into separate functions. In updating, I followed their hono guide too closely - https://v3.lucia-auth.com/guides/validate-session-cookies/hono. The wildcard csrf middleware was failing with requests from the native app.
Restored the previous functionality which only applied the CSRF check when validating a cooke session. If it fails, it skips loading the session but does not return a 403 error. If the x-enable-tokens header is detected, it uses the bearer token for the session ID and should no longer add set-cookie headers in the response.