Lucia's request handler is blacklisting POST requests - why is that?

[moritzlaube]

I am using a custom express middleware to check authorization for all of my protected api routes like so:

export default async function isAuthenticated(req: Request, res: Response, next: NextFunction) {
  const authRequest = auth.handleRequest(req, res)
  const session = await authRequest.validate()

  if (!session) return next({ status: 401, type: 'UNAUTHORIZED', message: 'You are not authenticated.' })

  req.user = session.user
  req.sessionId = session.sessionId
  req.authRequest = authRequest

  return next()
}

Now, I was puzzled that my GET requests were going through but my POST requests weren't until I dug into the code. And I found a whitelist (const whitelist = ["GET", "HEAD", "OPTIONS", "TRACE"];) that is prohibiting POST requests to get through. Is there a reason behind that decision? How can I circumnavigate that issue? Should I get the request's cookie and handle validation myself?

I greatly appreciate your help!

[pilcrowonpaper]

By default, Lucia has CSRF protection enabled, which means it’ll ignore all non-GET requests not coming from a trusted origin

https://lucia-auth.com/basics/using-cookies/#security

[moritzlaube]

Thanks for your help, @pilcrowonpaper! I am using vite's proxy to proxy requests to /api to the backend server. But I was using Insomnia to test the API and was unaware that thus I was making cross-site requests … So this makes total sense. Thanks for pushing me in the right direction!