marcel/familienarchiv
1
0
Fork 0
Code Issues 108 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(csrf): send X-XSRF-TOKEN on all client-side mutating fetch calls
Some checks failed
CI / Unit & Component Tests (push) Has been cancelled
Details
CI / OCR Service Tests (push) Has been cancelled
Details
CI / Backend Unit Tests (push) Has been cancelled
Details
CI / fail2ban Regex (push) Has been cancelled
Details
CI / Semgrep Security Scan (push) Has been cancelled
Details
CI / Compose Bucket Idempotency (push) Has been cancelled
Details
CI / Unit & Component Tests (pull_request) Successful in 3m34s
Details
CI / OCR Service Tests (pull_request) Successful in 20s
Details
CI / fail2ban Regex (pull_request) Has been cancelled
Details
CI / Semgrep Security Scan (pull_request) Has been cancelled
Details
CI / Compose Bucket Idempotency (pull_request) Has been cancelled
Details
CI / Backend Unit Tests (pull_request) Has been cancelled
Details

Browse Source 
hooks.server.ts already forwards the CSRF token for server-side fetch
(form actions, load). Client-side XHR calls bypassed it, causing Spring
Security to return 403 before PermissionAspect even ran.

Adds getCsrfToken/withCsrf/makeCsrfFetch to cookies.ts.
useTranscriptionBlocks wraps its injectable fetchImpl with makeCsrfFetch
(covers all block mutations and saveBlockWithConflictRetry).
useBlockAutoSave, TranscriptionEditView, BulkDocumentEditLayout,
OcrTrainingCard, and SegmentationTrainingCard apply withCsrf inline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit was merged in pull request #648.
This commit is contained in:
Marcel
2026-05-20 20:10:12 +02:00
committed by marcel
parent 909f960b2e
commit 19e2f65a21
7 changed files with 73 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
frontend/src/lib/ocr/SegmentationTrainingCard.svelte
View File

@@ -2,6 +2,7 @@
import TrainingHistory from './TrainingHistory.svelte';
import { m } from '$lib/paraglide/messages.js';
import type { TrainingRun } from '$lib/ocr/training.js';
import { withCsrf } from '$lib/shared/cookies';
interface TrainingInfo {
availableSegBlocks?: number;
@@ -27,7 +28,7 @@ async function startTraining() {
training = true;
successMessage = null;
try {
const res = await fetch('/api/ocr/segtrain', { method: 'POST' });
const res = await fetch('/api/ocr/segtrain', withCsrf({ method: 'POST' }));
if (res.ok) {
successMessage = m.training_success();
setTimeout(() => {