From f3bfa9e36ffa7c7d75c86af0fcb8a6cbca224c61 Mon Sep 17 00:00:00 2001
From: syswave-dev <263179084+syswave-dev@users.noreply.github.com>
Date: Mon, 4 May 2026 11:17:21 +0200
Subject: [PATCH] fix(csrf): mark requests as plaintext when
 SecureCookies=false

gorilla/csrf v1.7.x defaults the assumed request scheme to https for
Origin validation. With secure_cookies: false (HTTP dev mode), the
browser sends Origin: http://localhost:8082 but the middleware compares
against https://localhost:8082, causing scheme mismatch and ErrBadOrigin
on every POST.

csrf.Secure(false) only controls the cookie's Secure flag, not the
Origin check. Wrapping the middleware to call csrf.PlaintextHTTPRequest(r)
before validation resolves the issue without affecting production
deployments where SecureCookies=true.

Verified locally: Ubuntu 22.04, Go 1.24, MongoDB 7.0 replica set,
LightCMS v6.0.2 dev mode. /cm/login POST now succeeds where it
previously returned 403.

Refs #1
---
 cmd/server/main.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 90ab19e..f9316b9 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -235,6 +235,18 @@ func main() {
 		})),
 	)
 
+	// gorilla/csrf v1.7.x defaults the assumed request scheme to "https" for
+	// Origin/Referer checks. On plaintext HTTP the browser-sent Origin
+	// (e.g. http://localhost:8082) won't match, so flag requests as plaintext.
+	if !cfg.SecureCookies {
+		inner := csrfMiddleware
+		csrfMiddleware = func(next http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				inner(next).ServeHTTP(w, csrf.PlaintextHTTPRequest(r))
+			})
+		}
+	}
+
 	// Admin routes (under /cm)
 	admin := r.PathPrefix("/cm").Subrouter()
 	admin.Use(csrfMiddleware)