diff --git a/documentation/src/pages/basics/configuration.md b/documentation/src/pages/basics/configuration.md index 613dd3616..472fc3e37 100644 --- a/documentation/src/pages/basics/configuration.md +++ b/documentation/src/pages/basics/configuration.md @@ -7,8 +7,6 @@ This page shows all the options for [`Lucia`]() to configure Lucia. ```ts interface Options { - middleware?: _Middleware; - csrfProtection?: boolean | CSRFProtectionOptions; sessionExpiresIn?: TimeSpan; sessionCookie?: SessionCookieOptions; getSessionAttributes?: ( @@ -18,36 +16,6 @@ interface Options { } ``` -## `middleware` - -See [middleware](). - -```ts -import { Lucia } from "lucia"; -import { sveltekit } from "lucia/middleware"; - -const lucia = new Lucia(adapter, { - middleware: sveltekit() -}); -``` - -## `csrfProtection` - -CSRF protection is enabled (`true`) by default for [`AuthRequest.handleRequest()`](). Disable it by passing `false`. You can configure the behavior for `AuthRequest.handleRequest()` or [`Lucia.verifyRequestOrigin()`]() by passing an object. - -By default, Lucia uses the `Host` header to determine the current domain. You can change that with the `hostHeader` option or manually defining domains in `allowedHeaders`. - -```ts -import { Lucia } from "lucia"; - -const lucia = new Lucia(adapter, { - csrfProtection: { - allowedHeaders: ["api.example.com"], - hostHeader: "X-Forwarded-Host" // default: `Host` - } -}); -``` - ## `sessionExpiresIn` Configures how long a session is valid max for inactive users. Sessions expiration are automatically extended for active users. Also see [`TimeSpan`](). diff --git a/documentation/src/pages/basics/help.md b/documentation/src/pages/basics/help.md index 320b3cd00..a31962208 100644 --- a/documentation/src/pages/basics/help.md +++ b/documentation/src/pages/basics/help.md @@ -41,31 +41,20 @@ const lucia = new Lucia(adapter, { ## Can't validate POST requests -If you're using `AuthRequest.validate()` and it returns `null` even if the session cookie exists, it's likely caused by Lucia's CSRF protection. To debug, check the `Origin` and `Host` header. The hostname (domain) must exactly match. You can use a different header to get the host, manually add allowed domains, or disable CSRF protection entirely (not recommended) using the [`csrfProtection`]() option. +Check your CSRF protection implementation. If you're using the code provided by the documentation, check the `Origin` and `Host` header. The hostname must match exactly. You can add additional domains to the array to allow more domains. ```ts -import { Lucia } from "lucia"; - -const lucia = new Lucia(adapter, { - csrfProtection: { - hostHeader: "X-Forwarded-Host", // use X-Forwarded-Host instead of Host - allowedDomains: ["api.example.com"] // allow api.example.com - } -}); +import { verifyRequestOrigin } from "oslo/request"; -// disable CSRF protection -const lucia = new Lucia(adapter, { - csrfProtection: false -}); +verifyRequestOrigin(originHeader, [hostHeader, "api.example.com" /*...*/]); ``` ## `crypto` is not defined You're likely using a runtime that doesn't support the Web Crypto API, such as Node.js 18 and below. Polyfill it by importing `webcrypto`. - ```ts import { webcrypto } from "node:crypto"; globalThis.crypto = webcrypto as Crypto; -``` \ No newline at end of file +```