Remove standard CSRF middleware for lax-proto

asaharan · asaharan · commit bb30d29f26c3 · 2025-09-01T21:41:47.000+05:30
Previously, two CSRF middlewares were added for lax-proto requests: one
at the beginning and one at the end. This change replaces them with a
single middleware placed at the beginning. Non-lax-proto cases remain
unchanged.
diff --git a/.changeset/curvy-glasses-wash.md b/.changeset/curvy-glasses-wash.md
@@ -0,0 +1,5 @@
+---
+'@builder.io/qwik-city': patch
+---
+
+fix behaviour of checkOrigin: "lax-proto" in createQwikCity
diff --git a/packages/qwik-city/src/middleware/request-handler/resolve-request-handlers.ts b/packages/qwik-city/src/middleware/request-handler/resolve-request-handlers.ts
@@ -66,10 +66,10 @@ export const resolveRequestHandlers = (
       checkOrigin &&
       (method === 'POST' || method === 'PUT' || method === 'PATCH' || method === 'DELETE')
     ) {
-      requestHandlers.unshift(csrfCheckMiddleware);
-
       if (checkOrigin === 'lax-proto') {
-        requestHandlers.push(csrfLaxProtoCheckMiddleware);
+        requestHandlers.unshift(csrfLaxProtoCheckMiddleware);
+      } else {
+        requestHandlers.unshift(csrfCheckMiddleware);
       }
     }
     if (isPageRoute) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@builder.io/qwik-city': patch
 +---
++
 +fix behaviour of checkOrigin: "lax-proto" in createQwikCity
Original file line number	Diff line number	Diff line change
`@@ -66,10 +66,10 @@ export const resolveRequestHandlers = (`
`66`	`66`	`checkOrigin &&`
`67`	`67`	`(method === 'POST' \|\| method === 'PUT' \|\| method === 'PATCH' \|\| method === 'DELETE')`
`68`	`68`	`) {`
`69`		`- requestHandlers.unshift(csrfCheckMiddleware);`
`70`		`-`
`71`	`69`	`if (checkOrigin === 'lax-proto') {`
`72`		`- requestHandlers.push(csrfLaxProtoCheckMiddleware);`
	`70`	`+ requestHandlers.unshift(csrfLaxProtoCheckMiddleware);`
	`71`	`+ } else {`
	`72`	`+ requestHandlers.unshift(csrfCheckMiddleware);`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`	`if (isPageRoute) {`