Allow for apple bypass

src/hooks.server.ts

@@ -1,9 +1,20 @@
 import type { Handle } from '@sveltejs/kit';
+import { sequence } from '@sveltejs/kit/hooks';
 import * as auth from '$lib/server/auth';
 
 import { initializeEmbeddings } from '$lib/server/bible-embeddings';
 import { getAllNKJVVerses } from '$lib/server/xml-bible';
 
+// Apple Sign In uses form_post (cross-origin POST from appleid.apple.com)
+// so we need to skip SvelteKit's CSRF origin check for that route
+const handleAppleCsrf: Handle = async ({ event, resolve }) => {
+	if (event.url.pathname === '/auth/apple/callback') {
+		// The route has its own CSRF protection via the state parameter + cookie
+		event.request.headers.delete('origin');
+	}
+	return resolve(event);
+};
+
 const handleAuth: Handle = async ({ event, resolve }) => {
 	const sessionToken = event.cookies.get(auth.sessionCookieName);
 
@@ -28,7 +39,7 @@ const handleAuth: Handle = async ({ event, resolve }) => {
 	return resolve(event);
 };
 
-export const handle: Handle = handleAuth;
+export const handle: Handle = sequence(handleAppleCsrf, handleAuth);
 
 // Initialize embeddings on server start (runs once on module load)
 const verses = getAllNKJVVerses();