remove outdated info

lucia-auth · Dec 7, 2023 · 373f8aa · 373f8aa
1 parent e8e15e3
commit 373f8aa
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 47 deletions.
diff --git a/documentation/src/pages/basics/configuration.md b/documentation/src/pages/basics/configuration.md
@@ -7,8 +7,6 @@ This page shows all the options for [`Lucia`]() to configure Lucia.
 
 ```ts
 interface Options {
-	middleware?: _Middleware;
-	csrfProtection?: boolean | CSRFProtectionOptions;
 	sessionExpiresIn?: TimeSpan;
 	sessionCookie?: SessionCookieOptions;
 	getSessionAttributes?: (
@@ -18,36 +16,6 @@ interface Options {
 }
 ```
 
-## `middleware`
-
-See [middleware]().
-
-```ts
-import { Lucia } from "lucia";
-import { sveltekit } from "lucia/middleware";
-
-const lucia = new Lucia(adapter, {
-	middleware: sveltekit()
-});
-```
-
-## `csrfProtection`
-
-CSRF protection is enabled (`true`) by default for [`AuthRequest.handleRequest()`](). Disable it by passing `false`. You can configure the behavior for `AuthRequest.handleRequest()` or [`Lucia.verifyRequestOrigin()`]() by passing an object.
-
-By default, Lucia uses the `Host` header to determine the current domain. You can change that with the `hostHeader` option or manually defining domains in `allowedHeaders`.
-
-```ts
-import { Lucia } from "lucia";
-
-const lucia = new Lucia(adapter, {
-	csrfProtection: {
-		allowedHeaders: ["api.example.com"],
-		hostHeader: "X-Forwarded-Host" // default: `Host`
-	}
-});
-```
-
 ## `sessionExpiresIn`
 
 Configures how long a session is valid max for inactive users. Sessions expiration are automatically extended for active users. Also see [`TimeSpan`]().

diff --git a/documentation/src/pages/basics/help.md b/documentation/src/pages/basics/help.md
@@ -41,31 +41,20 @@ const lucia = new Lucia(adapter, {
 
 ## Can't validate POST requests
 
-If you're using `AuthRequest.validate()` and it returns `null` even if the session cookie exists, it's likely caused by Lucia's CSRF protection. To debug, check the `Origin` and `Host` header. The hostname (domain) must exactly match. You can use a different header to get the host, manually add allowed domains, or disable CSRF protection entirely (not recommended) using the [`csrfProtection`]() option.
+Check your CSRF protection implementation. If you're using the code provided by the documentation, check the `Origin` and `Host` header. The hostname must match exactly. You can add additional domains to the array to allow more domains.
 
 ```ts
-import { Lucia } from "lucia";
-
-const lucia = new Lucia(adapter, {
-	csrfProtection: {
-        hostHeader: "X-Forwarded-Host", // use X-Forwarded-Host instead of Host
-        allowedDomains: ["api.example.com"] // allow api.example.com
-    }
-});
+import { verifyRequestOrigin } from "oslo/request";
 
-// disable CSRF protection
-const lucia = new Lucia(adapter, {
-	csrfProtection: false
-});
+verifyRequestOrigin(originHeader, [hostHeader, "api.example.com" /*...*/]);
 ```
 
 ## `crypto` is not defined
 
 You're likely using a runtime that doesn't support the Web Crypto API, such as Node.js 18 and below. Polyfill it by importing `webcrypto`.
 
-
 ```ts
 import { webcrypto } from "node:crypto";
 
 globalThis.crypto = webcrypto as Crypto;
-```
+```