From ea7a848125c70c73213f068689b22e6c77f6f276 Mon Sep 17 00:00:00 2001
From: George Powell <geohpowell@gmail.com>
Date: Fri, 13 Feb 2026 01:52:48 -0500
Subject: [PATCH] Allow for apple bypass

---
 src/hooks.server.ts | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index 867fb1a..7dea14d 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,9 +1,20 @@
 import type { Handle } from '@sveltejs/kit';
+import { sequence } from '@sveltejs/kit/hooks';
 import * as auth from '$lib/server/auth';
 
 import { initializeEmbeddings } from '$lib/server/bible-embeddings';
 import { getAllNKJVVerses } from '$lib/server/xml-bible';
 
+// Apple Sign In uses form_post (cross-origin POST from appleid.apple.com)
+// so we need to skip SvelteKit's CSRF origin check for that route
+const handleAppleCsrf: Handle = async ({ event, resolve }) => {
+	if (event.url.pathname === '/auth/apple/callback') {
+		// The route has its own CSRF protection via the state parameter + cookie
+		event.request.headers.delete('origin');
+	}
+	return resolve(event);
+};
+
 const handleAuth: Handle = async ({ event, resolve }) => {
 	const sessionToken = event.cookies.get(auth.sessionCookieName);
 
@@ -28,7 +39,7 @@ const handleAuth: Handle = async ({ event, resolve }) => {
 	return resolve(event);
 };
 
-export const handle: Handle = handleAuth;
+export const handle: Handle = sequence(handleAppleCsrf, handleAuth);
 
 // Initialize embeddings on server start (runs once on module load)
 const verses = getAllNKJVVerses();