From da04d42df20573a68ab9d3dab76b42a206db57d6 Mon Sep 17 00:00:00 2001
From: vegard <vnotnes@pm.me>
Date: Fri, 20 Mar 2026 02:05:35 +0000
Subject: [PATCH] Deaktiver SvelteKit CSRF origin-sjekk for multi-subdomain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ORIGIN er hardkodet til ws.synops.no, men adm.synops.no trenger
også POST (auth callback). CSRF ivaretatt av OIDC PKCE+state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 frontend/svelte.config.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frontend/svelte.config.js b/frontend/svelte.config.js
index ad116dc..a0ffada 100644
--- a/frontend/svelte.config.js
+++ b/frontend/svelte.config.js
@@ -3,7 +3,10 @@ import adapter from '@sveltejs/adapter-node';
 /** @type {import('@sveltejs/kit').Config} */
 const config = {
 	kit: {
-		adapter: adapter()
+		adapter: adapter(),
+		csrf: {
+			checkOrigin: false
+		}
 	},
 	vitePlugin: {
 		dynamicCompileOptions: ({ filename }) =>