From 2de4e9e2a77e3c4ce7005c6671c3bd23924404de Mon Sep 17 00:00:00 2001
From: George Powell <geohpowell@gmail.com>
Date: Fri, 13 Feb 2026 01:56:24 -0500
Subject: [PATCH] Another attempt at fixing Cross-site POST form submissions
 are forbidden

---
 src/hooks.server.ts | 13 +------------
 svelte.config.js    |  9 ++++++++-
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index 7dea14d..867fb1a 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,20 +1,9 @@
 import type { Handle } from '@sveltejs/kit';
-import { sequence } from '@sveltejs/kit/hooks';
 import * as auth from '$lib/server/auth';
 
 import { initializeEmbeddings } from '$lib/server/bible-embeddings';
 import { getAllNKJVVerses } from '$lib/server/xml-bible';
 
-// Apple Sign In uses form_post (cross-origin POST from appleid.apple.com)
-// so we need to skip SvelteKit's CSRF origin check for that route
-const handleAppleCsrf: Handle = async ({ event, resolve }) => {
-	if (event.url.pathname === '/auth/apple/callback') {
-		// The route has its own CSRF protection via the state parameter + cookie
-		event.request.headers.delete('origin');
-	}
-	return resolve(event);
-};
-
 const handleAuth: Handle = async ({ event, resolve }) => {
 	const sessionToken = event.cookies.get(auth.sessionCookieName);
 
@@ -39,7 +28,7 @@ const handleAuth: Handle = async ({ event, resolve }) => {
 	return resolve(event);
 };
 
-export const handle: Handle = sequence(handleAppleCsrf, handleAuth);
+export const handle: Handle = handleAuth;
 
 // Initialize embeddings on server start (runs once on module load)
 const verses = getAllNKJVVerses();
diff --git a/svelte.config.js b/svelte.config.js
index 833cead..2b6f324 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -7,7 +7,14 @@ const config = {
 	// for more information about preprocessors
 	preprocess: vitePreprocess(),
 
-	kit: { adapter: adapter() }
+	kit: {
+		adapter: adapter(),
+		csrf: {
+			// Disabled because Apple Sign In uses cross-origin form_post.
+			// The Apple callback route has its own CSRF protection via state + cookie.
+			checkOrigin: false
+		}
+	}
 };
 
 export default config;