From 1506502db222fef55c3b24f021a7790d5b6f210d Mon Sep 17 00:00:00 2001
From: Gilles <43683714+corp-0@users.noreply.github.com>
Date: Fri, 14 Nov 2025 01:23:14 -0300
Subject: [PATCH] fix: add support for trusted CSRF origins so admin forms work
 again

---
 example.env                     | 3 +++
 src/central_command/settings.py | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/example.env b/example.env
index c30f9a8..be447e5 100644
--- a/example.env
+++ b/example.env
@@ -18,3 +18,6 @@ DB_PORT=5432
 WEBSITE_URL = http://localhost:8000
 PASS_RESET_URL_SUFFIX = reset-password/
 ACCOUNT_CONFIRMATION_URL_SUFFIX = confirm-email/
+
+# trusted origins
+CSRF_TRUSTED_ORIGINS=http://localhost:8000,https://prod-api.unitystation.org,https://dev-api.unitystation.org
\ No newline at end of file
diff --git a/src/central_command/settings.py b/src/central_command/settings.py
index 69cf6c4..48df438 100644
--- a/src/central_command/settings.py
+++ b/src/central_command/settings.py
@@ -38,6 +38,9 @@
 
 ALLOWED_HOSTS = ["*"] if DEBUG else ["localhost", "127.0.0.1"]
 
+_csrf_origins = os.environ.get("CSRF_TRUSTED_ORIGINS", "")
+CSRF_TRUSTED_ORIGINS = [origin.strip() for origin in _csrf_origins.split(",") if origin.strip()]
+
 INSTALLED_APPS = [
     "django.contrib.admin",
     "django.contrib.auth",