familienarchiv

Author	SHA1	Message	Date
Marcel	58254b492b	fix(security): add csrfFetch wrapper and apply to all client-side mutating requests Some checks failed CI / Unit & Component Tests (pull_request) Failing after 2m52s Details CI / OCR Service Tests (pull_request) Successful in 21s Details CI / Backend Unit Tests (pull_request) Successful in 3m48s Details CI / fail2ban Regex (pull_request) Successful in 44s Details CI / Semgrep Security Scan (pull_request) Successful in 20s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m4s Details Introduces `csrfFetch` (= `makeCsrfFetch(fetch)`) in cookies.ts as a drop-in fetch replacement that auto-injects X-XSRF-TOKEN on POST/PUT/PATCH/DELETE. Previously 8 call sites sent mutating requests without the CSRF header — annotation resize, comment POST/PATCH/DELETE, Geschichte CRUD, Stammbaum relationship creation, bulk-edit PATCH, and file upload — all would fail with CSRF_TOKEN_MISSING if the backend's cookie-based protection triggered. All 14 client-side mutating fetches now use csrfFetch; withCsrf/makeCsrfFetch remain in the API for injectable-fetch use cases (e.g. useTranscriptionBlocks). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-30 10:50:56 +02:00
Marcel	19e2f65a21	fix(csrf): send X-XSRF-TOKEN on all client-side mutating fetch calls Some checks failed CI / Unit & Component Tests (push) Has been cancelled Details CI / OCR Service Tests (push) Has been cancelled Details CI / Backend Unit Tests (push) Has been cancelled Details CI / fail2ban Regex (push) Has been cancelled Details CI / Semgrep Security Scan (push) Has been cancelled Details CI / Compose Bucket Idempotency (push) Has been cancelled Details CI / Unit & Component Tests (pull_request) Successful in 3m34s Details CI / OCR Service Tests (pull_request) Successful in 20s Details CI / fail2ban Regex (pull_request) Has been cancelled Details CI / Semgrep Security Scan (pull_request) Has been cancelled Details CI / Compose Bucket Idempotency (pull_request) Has been cancelled Details CI / Backend Unit Tests (pull_request) Has been cancelled Details hooks.server.ts already forwards the CSRF token for server-side fetch (form actions, load). Client-side XHR calls bypassed it, causing Spring Security to return 403 before PermissionAspect even ran. Adds getCsrfToken/withCsrf/makeCsrfFetch to cookies.ts. useTranscriptionBlocks wraps its injectable fetchImpl with makeCsrfFetch (covers all block mutations and saveBlockWithConflictRetry). useBlockAutoSave, TranscriptionEditView, BulkDocumentEditLayout, OcrTrainingCard, and SegmentationTrainingCard apply withCsrf inline. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 20:35:51 +02:00
Marcel	d6db7a07bd	refactor: move shared utilities to lib/shared/ sub-packages Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 14:35:15 +02:00
Marcel	7dd05af867	refactor: move tag domain components to lib/tag/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 14:27:25 +02:00
Marcel	1e656d2db4	refactor: move document transcription, annotation, viewer sub-packages - transcription/: TranscriptionBlock, Column, EditView, PanelHeader, ReadView, Section + transcriptionMarkers, blockConflictMerge, saveBlockWithConflictRetry + useBlockAutoSave, useBlockDragDrop hooks - annotation/: AnnotationLayer, AnnotationShape, AnnotationEditOverlay - viewer/: PdfViewer, PdfControls + useFileLoader, usePdfRenderer hooks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 14:01:39 +02:00
Marcel	e7f8aa5894	refactor: move document domain core to lib/document/ Moves ~25 components, utils (search, filename, groupDocuments, documentStatusLabel, validateFile), bulkSelection store, and TranscriptionSection sub-component. Fixes broken relative imports. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 13:56:36 +02:00

6 Commits