Only refresh cookie on post (#606)

nsarrazin · web-flow · commit b1c120fcbd4e · 2023-12-01T11:45:33.000+01:00
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -51,20 +51,25 @@ export const handle: Handle = async ({ event, resolve }) => {
 		"application/x-www-form-urlencoded",
 		"text/plain",
 	];
-	if (event.request.method === "POST" && nativeFormContentTypes.includes(requestContentType)) {
-		const referer = event.request.headers.get("referer");
 
-		if (!referer) {
-			return errorResponse(403, "Non-JSON form requests need to have a referer");
-		}
+	if (event.request.method === "POST") {
+		refreshSessionCookie(event.cookies, event.locals.sessionId);
+
+		if (nativeFormContentTypes.includes(requestContentType)) {
+			const referer = event.request.headers.get("referer");
+
+			if (!referer) {
+				return errorResponse(403, "Non-JSON form requests need to have a referer");
+			}
 
-		const validOrigins = [
-			new URL(event.request.url).origin,
-			...(PUBLIC_ORIGIN ? [new URL(PUBLIC_ORIGIN).origin] : []),
-		];
+			const validOrigins = [
+				new URL(event.request.url).origin,
+				...(PUBLIC_ORIGIN ? [new URL(PUBLIC_ORIGIN).origin] : []),
+			];
 
-		if (!validOrigins.includes(new URL(referer).origin)) {
-			return errorResponse(403, "Invalid referer for POST request");
+			if (!validOrigins.includes(new URL(referer).origin)) {
+				return errorResponse(403, "Invalid referer for POST request");
+			}
 		}
 	}
 
@@ -100,8 +105,6 @@ export const handle: Handle = async ({ event, resolve }) => {
 		}
 	}
 
-	refreshSessionCookie(event.cookies, event.locals.sessionId);
-
 	let replaced = false;
 
 	const response = await resolve(event, {
