From 5fc208c9da407aa84328504b227ea2fd5f4bffff Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Thu, 23 Apr 2026 13:34:43 +0200
Subject: [PATCH] fix: only skip CSRF for /api/ routes with Bearer tokens

---
 internal/middleware/csrf.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/middleware/csrf.go b/internal/middleware/csrf.go
index 81c69c8..14df31d 100644
--- a/internal/middleware/csrf.go
+++ b/internal/middleware/csrf.go
@@ -71,7 +71,7 @@ func CSRFMiddleware() func(http.Handler) http.Handler {
 				return
 			}
 
-			if strings.HasPrefix(r.URL.Path, "/api/") {
+			if strings.HasPrefix(r.URL.Path, "/api/") && hasBearerToken(r) {
 				next.ServeHTTP(w, r)
 				return
 			}
@@ -86,6 +86,11 @@ func CSRFMiddleware() func(http.Handler) http.Handler {
 	}
 }
 
+func hasBearerToken(r *http.Request) bool {
+	auth := strings.TrimSpace(r.Header.Get("Authorization"))
+	return strings.HasPrefix(auth, "Bearer ")
+}
+
 func IsHTTPS(r *http.Request) bool {
 	if r.TLS != nil {
 		return true