From d09982bc8fa41afc793b627d2e68cedbf0e0bed3 Mon Sep 17 00:00:00 2001
From: JAPER <eric.mourant@japer.technology>
Date: Tue, 2 Sep 2025 12:15:45 +1000
Subject: [PATCH] Normalize CSRF token header in createThought API

---
 src/pages/api/createThought.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/pages/api/createThought.js b/src/pages/api/createThought.js
index 081a5d2..89cf0c8 100644
--- a/src/pages/api/createThought.js
+++ b/src/pages/api/createThought.js
@@ -19,7 +19,9 @@ export default async (req, res) => {
   }
 
   const sessionToken = req.cookies?.csrfToken;
-  const csrfToken = req.headers['x-csrf-token'];
+  const csrfToken = Array.isArray(req.headers['x-csrf-token'])
+    ? req.headers['x-csrf-token'][0]
+    : req.headers['x-csrf-token'];
   if (!csrfToken || csrfToken !== sessionToken) {
     res.status(403).json({ error: 'Invalid or missing CSRF token.' });
     return;