marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(ocr): send CSRF token when starting an OCR run #705

Merged
marcel merged 2 commits from fix/ocr-trigger-csrf into main 2026-05-31 22:29:01 +02:00
Conversation 0 Commits 2 Files Changed 2 +31 -1

2 Commits

Author SHA1 Message Date
Marcel
246568301a refactor(ocr): CSRF-wrap injected fetchImpl too, not just the default
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m19s
Details
CI / OCR Service Tests (pull_request) Successful in 21s
Details
CI / Backend Unit Tests (pull_request) Successful in 3m33s
Details
CI / fail2ban Regex (pull_request) Successful in 43s
Details
CI / Semgrep Security Scan (pull_request) Successful in 21s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 1m2s
Details
CI / Unit & Component Tests (push) Successful in 3m24s
Details
CI / OCR Service Tests (push) Successful in 20s
Details
CI / Backend Unit Tests (push) Successful in 3m32s
Details
CI / fail2ban Regex (push) Successful in 44s
Details
CI / Semgrep Security Scan (push) Successful in 21s
Details
CI / Compose Bucket Idempotency (push) Successful in 1m2s
Details
nightly / deploy-staging (push) Successful in 3m47s
Details 
Mirror the useTranscriptionBlocks pattern: makeCsrfFetch(options.fetchImpl
?? fetch) wraps both the default and any injected fetch, so CSRF protection
holds regardless of how the hook is constructed — defense-in-depth against a
future caller injecting a bare fetch. Simplifies the CSRF test to assert on
the injected path instead of stubbing global fetch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-05-31 22:10:09 +02:00
Marcel
aab4fe37ae fix(ocr): send CSRF token when starting an OCR run
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m16s
Details
CI / OCR Service Tests (pull_request) Successful in 21s
Details
CI / Backend Unit Tests (pull_request) Successful in 3m38s
Details
CI / fail2ban Regex (pull_request) Successful in 42s
Details
CI / Semgrep Security Scan (pull_request) Successful in 19s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 1m5s
Details 
The OCR trigger POST went through bare `fetch`, so it carried no
X-XSRF-TOKEN header. Spring Security rejected it and the UI showed
"Sitzungsfehler. Bitte laden Sie die Seite neu." (CSRF_TOKEN_MISSING).

Default the job controller's fetchImpl to csrfFetch — matching the
autosave hook — so mutating requests are CSRF-protected while GET
polling passes through unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-05-31 21:09:18 +02:00