fix(ocr): send CSRF token when starting an OCR run #705

Merged

marcel merged 2 commits from fix/ocr-trigger-csrf into main 2026-05-31 22:29:01 +02:00

Conversation 0 Commits 2 Files Changed 2 +31 -1

marcel commented 2026-05-31 21:10:14 +02:00

Owner

Copy Link

Problem

Starting an OCR run failed with "Sitzungsfehler. Bitte laden Sie die Seite neu."

Root cause

createOcrJob (frontend/src/lib/ocr/useOcrJob.svelte.ts) defaulted its fetchImpl to bare fetch. The document page instantiates it without a fetchImpl, so the OCR trigger POST /api/documents/{id}/ocr carried no X-XSRF-TOKEN header. Spring Security's CSRF filter rejected it, returning CSRF_TOKEN_MISSING, which maps to the German "Sitzungsfehler…" message.

This was the one remaining mutating client call still on bare fetch — the transcription autosave hook (useBlockAutoSave) already used csrfFetch.

Fix

Default the controller's fetchImpl to csrfFetch. It injects the token only on mutating methods (POST/PUT/PATCH/DELETE) and passes GET polling (/ocr/jobs/{id}, /ocr-status) through unchanged. Injected test mocks are unaffected.

Test

Added a failing-first test asserting the trigger POST carries X-XSRF-TOKEN on the default (no-fetchImpl) path. All 23 tests in the file pass; prettier + eslint clean.

🤖 Generated with Claude Code

## Problem Starting an OCR run failed with **"Sitzungsfehler. Bitte laden Sie die Seite neu."** ## Root cause `createOcrJob` (`frontend/src/lib/ocr/useOcrJob.svelte.ts`) defaulted its `fetchImpl` to bare `fetch`. The document page instantiates it without a `fetchImpl`, so the OCR trigger `POST /api/documents/{id}/ocr` carried **no `X-XSRF-TOKEN` header**. Spring Security's CSRF filter rejected it, returning `CSRF_TOKEN_MISSING`, which maps to the German "Sitzungsfehler…" message. This was the one remaining mutating client call still on bare `fetch` — the transcription autosave hook (`useBlockAutoSave`) already used `csrfFetch`. ## Fix Default the controller's `fetchImpl` to `csrfFetch`. It injects the token only on mutating methods (POST/PUT/PATCH/DELETE) and passes GET polling (`/ocr/jobs/{id}`, `/ocr-status`) through unchanged. Injected test mocks are unaffected. ## Test Added a failing-first test asserting the trigger POST carries `X-XSRF-TOKEN` on the default (no-`fetchImpl`) path. All 23 tests in the file pass; prettier + eslint clean. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 1 commit 2026-05-31 21:10:14 +02:00

fix(ocr): send CSRF token when starting an OCR run ... aab4fe37ae

The OCR trigger POST went through bare `fetch`, so it carried no
X-XSRF-TOKEN header. Spring Security rejected it and the UI showed
"Sitzungsfehler. Bitte laden Sie die Seite neu." (CSRF_TOKEN_MISSING).

Default the job controller's fetchImpl to csrfFetch — matching the
autosave hook — so mutating requests are CSRF-protected while GET
polling passes through unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

marcel added 1 commit 2026-05-31 22:10:28 +02:00

refactor(ocr): CSRF-wrap injected fetchImpl too, not just the default ... 246568301a

Mirror the useTranscriptionBlocks pattern: makeCsrfFetch(options.fetchImpl
?? fetch) wraps both the default and any injected fetch, so CSRF protection
holds regardless of how the hook is constructed — defense-in-depth against a
future caller injecting a bare fetch. Simplifies the CSRF test to assert on
the injected path instead of stubbing global fetch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

marcel merged commit 246568301a into main 2026-05-31 22:29:01 +02:00

marcel deleted branch fix/ocr-trigger-csrf 2026-05-31 22:29:02 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

needs-discussion

Has an open decision or design question that must be resolved before implementation can start.

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#705