fix(admin): remove csrf checks

2026-06-06 00:56:56 +00:00 · 2026-02-21 17:01:35 +01:00
parent ed1608b8e3
commit a96939684b
4 changed files with 0 additions and 34 deletions
--- a/apps/web/src/app/(ui)/(protected)/api/admin/channels/route.ts
+++ b/apps/web/src/app/(ui)/(protected)/api/admin/channels/route.ts
@@ -1,5 +1,4 @@
 import { validateRequest } from '@/lib/auth/validate';
-import { verifySameOrigin } from '@/lib/auth/csrf';
 import { AdminAuditAction, prisma } from '@hctv/db';
 import { NextRequest } from 'next/server';

@@ -48,11 +47,6 @@ export async function POST(request: NextRequest) {
    return new Response('Forbidden', { status: 403 });
  }

-  const csrfError = verifySameOrigin(request);
-  if (csrfError) {
-    return csrfError;
-  }
-
  let body: {
    channelId: string;
    action: 'restrict' | 'unrestrict';
--- a/apps/web/src/app/(ui)/(protected)/api/admin/reports/route.ts
+++ b/apps/web/src/app/(ui)/(protected)/api/admin/reports/route.ts
@@ -1,5 +1,4 @@
 import { validateRequest } from '@/lib/auth/validate';
-import { verifySameOrigin } from '@/lib/auth/csrf';
 import {
  AdminAuditAction,
  ChatModerationAction,
@@ -97,11 +96,6 @@ export async function POST(request: NextRequest) {
    return new Response('Forbidden', { status: 403 });
  }

-  const csrfError = verifySameOrigin(request);
-  if (csrfError) {
-    return csrfError;
-  }
-
  let body: {
    reportId?: string;
    action?:
--- a/apps/web/src/app/(ui)/(protected)/api/admin/users/route.ts
+++ b/apps/web/src/app/(ui)/(protected)/api/admin/users/route.ts
@@ -1,5 +1,4 @@
 import { validateRequest } from '@/lib/auth/validate';
-import { verifySameOrigin } from '@/lib/auth/csrf';
 import { AdminAuditAction, prisma } from '@hctv/db';
 import { NextRequest } from 'next/server';

@@ -38,11 +37,6 @@ export async function POST(request: NextRequest) {
    return new Response('Forbidden', { status: 403 });
  }

-  const csrfError = verifySameOrigin(request);
-  if (csrfError) {
-    return csrfError;
-  }
-
  let body: {
    userId: string;
    action: 'ban' | 'unban' | 'promote' | 'demote';
--- a/apps/web/src/lib/auth/csrf.ts
+++ b/apps/web/src/lib/auth/csrf.ts
@@ -1,16 +0,0 @@
-import { NextRequest } from 'next/server';
-
-const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
-
-export function verifySameOrigin(request: NextRequest): Response | null {
-  if (SAFE_METHODS.has(request.method)) {
-    return null;
-  }
-
-  const origin = request.headers.get('origin');
-  if (!origin || origin !== request.nextUrl.origin) {
-    return new Response('Forbidden', { status: 403 });
-  }
-
-  return null;
-}