Another attempt at fixing Cross-site POST form submissions are forbidden

src/hooks.server.ts

@@ -1,20 +1,9 @@
 import type { Handle } from '@sveltejs/kit';
-import { sequence } from '@sveltejs/kit/hooks';
 import * as auth from '$lib/server/auth';
 
 import { initializeEmbeddings } from '$lib/server/bible-embeddings';
 import { getAllNKJVVerses } from '$lib/server/xml-bible';
 
-// Apple Sign In uses form_post (cross-origin POST from appleid.apple.com)
-// so we need to skip SvelteKit's CSRF origin check for that route
-const handleAppleCsrf: Handle = async ({ event, resolve }) => {
-	if (event.url.pathname === '/auth/apple/callback') {
-		// The route has its own CSRF protection via the state parameter + cookie
-		event.request.headers.delete('origin');
-	}
-	return resolve(event);
-};
-
 const handleAuth: Handle = async ({ event, resolve }) => {
 	const sessionToken = event.cookies.get(auth.sessionCookieName);
 
@@ -39,7 +28,7 @@ const handleAuth: Handle = async ({ event, resolve }) => {
 	return resolve(event);
 };
 
-export const handle: Handle = sequence(handleAppleCsrf, handleAuth);
+export const handle: Handle = handleAuth;
 
 // Initialize embeddings on server start (runs once on module load)
 const verses = getAllNKJVVerses();

svelte.config.js

@@ -7,7 +7,14 @@ const config = {
 	// for more information about preprocessors
 	preprocess: vitePreprocess(),
 
-	kit: { adapter: adapter() }
+	kit: {
+		adapter: adapter(),
+		csrf: {
+			// Disabled because Apple Sign In uses cross-origin form_post.
+			// The Apple callback route has its own CSRF protection via state + cookie.
+			checkOrigin: false
+		}
+	}
 };
 
 export default config;