fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

Introduces `csrfFetch` (= `makeCsrfFetch(fetch)`) in cookies.ts as a drop-in fetch replacement that auto-injects X-XSRF-TOKEN on POST/PUT/PATCH/DELETE. Previously 8 call sites sent mutating requests without the CSRF header — annotation resize, comment POST/PATCH/DELETE, Geschichte CRUD, Stammbaum relationship creation, bulk-edit PATCH, and file upload — all would fail with CSRF_TOKEN_MISSING if the backend's cookie-based protection triggered. All 14 client-side mutating fetches now use csrfFetch; withCsrf/makeCsrfFetch remain in the API for injectable-fetch use cases (e.g. useTranscriptionBlocks). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 10:50:56 +02:00
parent 8cc6031ef0
commit 58254b492b
15 changed files with 53 additions and 44 deletions
--- a/frontend/src/routes/documents/bulk-edit/+page.svelte
+++ b/frontend/src/routes/documents/bulk-edit/+page.svelte
@@ -7,6 +7,7 @@ import BulkDocumentEditLayout, {
 } from '$lib/document/BulkDocumentEditLayout.svelte';
 import { getErrorMessage, parseBackendError } from '$lib/shared/errors';
 import { m } from '$lib/paraglide/messages.js';
+import { csrfFetch } from '$lib/shared/cookies';

 let entries = $state<BulkEditEntry[]>([]);
 let loading = $state(true);
@@ -22,7 +23,7 @@ onMount(async () => {
 		return;
 	}
 	try {
-		const res = await fetch('/api/documents/batch-metadata', {
+		const res = await csrfFetch('/api/documents/batch-metadata', {
 			method: 'POST',
 			headers: { 'Content-Type': 'application/json' },
 			body: JSON.stringify({ ids })