@autumnsgrove/groveengine 0.9.7 → 0.9.71

package/dist/utils/csrf.js

@@ -48,13 +48,18 @@ export function validateCSRF(request) {
             if (!isLocalhost && originUrl.protocol !== "https:") {
                 return false;
             }
-            // STRICT: Require exact hostname match (same-origin)
+            // STRICT: Require exact origin match (same-origin policy)
             // This prevents cross-tenant CSRF attacks where tenant1.grove.place
             // could make requests to tenant2.grove.place
             const hostUrl = host ? new URL(`https://${host}`) : null;
             const isSameHost = hostUrl && originUrl.hostname === hostUrl.hostname;
-            // Only allow same-host or localhost
-            if (!isLocalhost && !isSameHost) {
+            // Check port match - same-origin policy requires protocol + host + port
+            // Default ports: 443 for https, 80 for http (empty string in URL.port)
+            const originPort = originUrl.port || (originUrl.protocol === "https:" ? "443" : "80");
+            const hostPort = hostUrl?.port || "443"; // host header typically omits default port
+            const isSamePort = originPort === hostPort;
+            // Only allow same-host AND same-port, or localhost
+            if (!isLocalhost && (!isSameHost || !isSamePort)) {
                 return false;
             }
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autumnsgrove/groveengine",
-  "version": "0.9.7",
+  "version": "0.9.71",
   "description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
   "author": "AutumnsGrove",
   "license": "AGPL-3.0-only",
@@ -10,8 +10,7 @@
     "directory": "packages/engine"
   },
   "publishConfig": {
-    "registry": "https://registry.npmjs.org",
-    "access": "public"
+    "registry": "https://npm.pkg.github.com"
   },
   "keywords": [
     "blog",