CSRF cookie isn't transmitted when using a mixture of Vite and Rust in debug mode

pmeunier

May 18, 2026, 2:59 PM

ILSJQ26VW6D3E5BE2DAFE3TDHJIRLFZ5RAXR7Y4RQNDZHBVDDVZAC

Dependencies

• [2] D4SBRY6K Initial patch
• [3] LE34RHBB Fixing a CORS bug
• [4] X7GJK2QD Update
• [5] HRAWXWFE Forwarding the set-cookie header set for CSRF

Change contents

• replacement in ui/src/hooks.server.ts at line 12
  [3.990]→[3.990:1028](∅→∅)
  − console.log("request", request.url)
  [3.990]

  [3.1028]
  + console.log('request', request.url);
• edit in api/src/main.rs at line 758
  [2.472843]

  [2.472843]
  + }

  + }

  +

  + fn csrf_verify(token: &axum_csrf::CsrfToken, t: &str) -> Result<(), Error> {

  + if cfg!(debug_assertions) {

  + Ok(())

  + } else {

  + Ok(token.verify(t)?)
• edit in api/src/channel.rs at line 1
  [2.544780]

  [2.544781]
  + use crate::Config;
• edit in api/src/channel.rs at line 4
  [2.544844]→[2.544844:544863](∅→∅)
  − use crate::Config;
• edit in api/src/channel.rs at line 5
  [2.544875]

  [2.544875]
  + Router,
• edit in api/src/channel.rs at line 9
  [2.544972]→[2.544972:544984](∅→∅)
  − Router,
• replacement in api/src/channel.rs at line 39
  [2.545684]→[2.545684:545716](∅→∅)
  − token.verify(&fork.token)?;
  [2.545684]

  [2.545716]
  + crate::csrf_verify(&token, &fork.token)?;