fix(admin): include CSRF token on admin trigger/backfill POSTs

The four admin actions (trigger-import, generate-thumbnails, backfill-versions, backfill-file-hashes) were posting bare fetches, so the backend's CSRF filter would reject them once the protection is on. Wrap each init with withCsrf() so the X-XSRF-TOKEN header is attached from the cookie — same pattern other admin actions use. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 12:55:34 +02:00
parent 4581fc0b1f
commit 548bc60747
1 changed files with 5 additions and 4 deletions
--- a/frontend/src/routes/admin/system/+page.svelte
+++ b/frontend/src/routes/admin/system/+page.svelte
@@ -3,6 +3,7 @@ import { onDestroy } from 'svelte';
 import { m } from '$lib/paraglide/messages.js';
 import ImportStatusCard from './ImportStatusCard.svelte';
 import type { ImportStatus } from './types.js';
+import { withCsrf } from '$lib/shared/cookies';

 let backfillResult: number | null = $state(null);
 let backfillLoading = $state(false);
@@ -61,7 +62,7 @@ async function fetchImportStatus() {
 }

 async function triggerImport() {
-	const res = await fetch('/api/admin/trigger-import', { method: 'POST' });
+	const res = await fetch('/api/admin/trigger-import', withCsrf({ method: 'POST' }));
 	if (res.ok) {
 		importStatus = await res.json();
 		if (importStatus!.state === 'RUNNING') {
@@ -83,7 +84,7 @@ async function fetchThumbnailStatus() {
 }

 async function triggerThumbnails() {
-	const res = await fetch('/api/admin/generate-thumbnails', { method: 'POST' });
+	const res = await fetch('/api/admin/generate-thumbnails', withCsrf({ method: 'POST' }));
 	if (res.ok) {
 		thumbnailStatus = await res.json();
 		if (thumbnailStatus!.state === 'RUNNING') {
@@ -106,7 +107,7 @@ async function backfillVersions() {
 	backfillLoading = true;
 	backfillResult = null;
 	try {
-		const res = await fetch('/api/admin/backfill-versions', { method: 'POST' });
+		const res = await fetch('/api/admin/backfill-versions', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			const data = await res.json();
 			backfillResult = data.count;
@@ -120,7 +121,7 @@ async function backfillFileHashes() {
 	backfillHashesLoading = true;
 	backfillHashesResult = null;
 	try {
-		const res = await fetch('/api/admin/backfill-file-hashes', { method: 'POST' });
+		const res = await fetch('/api/admin/backfill-file-hashes', withCsrf({ method: 'POST' }));
 		if (res.ok) {
 			const data = await res.json();
 			backfillHashesResult = data.count;