marcel/familienarchiv
1
0
Fork 0
Code Issues 121 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(security): add csrfFetch wrapper, apply to all client-side mutating requests #695

Merged
marcel merged 3 commits from fix/csrf-missing-client-fetches into main 2026-05-30 14:39:14 +02:00
Conversation 14 Commits 3 Files Changed 16 +11 -1
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 5d8d85057d - Show all commits

12
frontend/src/lib/shared/cookies.ts
View File

@@ -45,8 +45,18 @@ export function makeCsrfFetch(inner: typeof fetch): typeof fetch {
* Drop-in replacement for fetch that automatically injects X-XSRF-TOKEN on
* all mutating requests (POST, PUT, PATCH, DELETE). Use this everywhere in
* client-side code instead of bare fetch + withCsrf().
*
* Implemented as a function (not a module-level const) so that test stubs
* applied via vi.stubGlobal('fetch', mock) are picked up at call time rather
* than being silently bypassed by a pre-captured reference.
*/
export const csrfFetch = makeCsrfFetch(fetch);
export function csrfFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
const method = (init?.method ?? 'GET').toUpperCase();
if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
return fetch(input, withCsrf(init));
}
return fetch(input, init);
}
/**
* Extracts the fa_session cookie value from a list of Set-Cookie response headers.