From 302f4bc83703e3f41d06412beaa7a552a6851e73 Mon Sep 17 00:00:00 2001 From: VitorFOG Date: Mon, 23 Feb 2026 17:30:51 -0300 Subject: [PATCH] fix: handle stale CSRF tokens gracefully by clearing cookie and redirecting When deploying behind reverse proxies or switching between environments, stale CSRF cookies cause 403 errors. Instead of showing an error, clear the invalid cookie and redirect back so a fresh token is set automatically. Co-Authored-By: Claude Opus 4.6 --- pkg/handlers/router.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/handlers/router.go b/pkg/handlers/router.go index 862ad78..f4f38f0 100644 --- a/pkg/handlers/router.go +++ b/pkg/handlers/router.go @@ -61,6 +61,16 @@ func BuildRouter(c *services.Container) error { CookieHTTPOnly: false, // must be false so JS (Axios) can read it CookieSameSite: http.SameSiteStrictMode, ContextKey: context.CSRFKey, + ErrorHandler: func(err error, ctx echo.Context) error { + // Clear the stale CSRF cookie so a fresh token is set on redirect. + ctx.SetCookie(&http.Cookie{ + Name: "XSRF-TOKEN", + Value: "", + Path: "/", + MaxAge: -1, + }) + return ctx.Redirect(http.StatusFound, ctx.Request().URL.Path) + }, }), echo.WrapMiddleware(c.Inertia.Middleware), middleware.InertiaProps(), // leave this as the last one