Marcel 58254b492b fix(security): add csrfFetch wrapper and apply to all client-side mutating requests ...

Introduces `csrfFetch` (= `makeCsrfFetch(fetch)`) in cookies.ts as a
drop-in fetch replacement that auto-injects X-XSRF-TOKEN on POST/PUT/PATCH/DELETE.

Previously 8 call sites sent mutating requests without the CSRF header —
annotation resize, comment POST/PATCH/DELETE, Geschichte CRUD, Stammbaum
relationship creation, bulk-edit PATCH, and file upload — all would fail
with CSRF_TOKEN_MISSING if the backend's cookie-based protection triggered.

All 14 client-side mutating fetches now use csrfFetch; withCsrf/makeCsrfFetch
remain in the API for injectable-fetch use cases (e.g. useTranscriptionBlocks).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-30 10:50:56 +02:00

..

admin

fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

2026-05-30 10:50:56 +02:00

aktivitaeten

fix(frontend): add extractErrorCode to all api.server vi.mock factories

2026-05-21 09:31:53 +02:00

api

refactor(observability): remove console.log from tags proxy and enforce no-console lint rule

2026-05-17 09:45:49 +02:00

briefwechsel

fix(frontend): add extractErrorCode to all api.server vi.mock factories

2026-05-21 09:31:53 +02:00

documents

fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

2026-05-30 10:50:56 +02:00

enrich

refactor(frontend): replace all as-unknown-as error casts with extractErrorCode

2026-05-21 09:31:53 +02:00

forgot-password

test(routes): cover +error and forgot-password page branches

2026-05-11 21:50:28 +02:00

geschichten

fix(security): add csrfFetch wrapper and apply to all client-side mutating requests

2026-05-30 10:50:56 +02:00

hilfe/transkription

fix(style): move transkription print styles to global CSS to suppress Tailwind noise

2026-05-12 11:35:40 +02:00

login

test(login): add browser component test for rate-limited login UI state

2026-05-19 09:23:01 +02:00

logout

test(auth): Vitest coverage for logout action

2026-05-17 22:49:06 +02:00

persons

feat(person): generation dropdown on Person edit/new forms (#689)

2026-05-28 15:55:25 +02:00

profile

refactor(frontend): replace all as-unknown-as error casts with extractErrorCode

2026-05-21 09:31:53 +02:00

register

test(register): replace 8 setTimeout sleeps with vi.waitFor on reactive state changes

2026-05-11 21:50:28 +02:00

reset-password

test: cover OcrTrigger, CoCorrespondentsList, reset-password page

2026-05-11 21:50:28 +02:00

stammbaum

test(stammbaum): fix two CI-only browser-test failures (#692)

2026-05-29 20:42:50 +02:00

themen

fix(themen): correct link color and tag navigation route

2026-05-25 19:29:53 +02:00

users/[id]

refactor(frontend): replace all as-unknown-as error casts with extractErrorCode

2026-05-21 09:31:53 +02:00

+error.svelte

refactor(observability): lower trace sample rate, add DSN comment, improve status visibility

2026-05-17 10:27:01 +02:00

+layout.server.ts

feat(geschichten): frontend foundation — canBlogWrite, sanitize util, nav, i18n

2026-05-02 17:43:29 +02:00

+layout.svelte

refactor(confirm-service): normalise import spelling to no-extension form

2026-05-13 08:02:26 +02:00

+page.server.ts

Merge remote-tracking branch 'origin/main' into HEAD

2026-05-27 22:16:26 +02:00

+page.svelte

feat(dashboard): move ThemenWidget to full-width position

2026-05-25 19:03:47 +02:00

AppNav.svelte

fix(i18n): wire AppNav hamburger aria-label through Paraglide messages

2026-05-19 16:52:08 +02:00

AppNav.svelte.test.ts

test(routes): drop 2 setTimeout sleeps in AppNav (auto-wait via expect.element)

2026-05-11 21:50:28 +02:00

AuthHeader.svelte

refactor: move shared components to lib/shared/ sub-packages

2026-05-05 14:40:14 +02:00

AuthHeader.svelte.test.ts

test: cover five small index/empty-state route components

2026-05-11 21:50:28 +02:00

DocumentList.svelte

feat(documents): explain that a date range excludes undated documents

2026-05-27 18:50:18 +02:00

DocumentList.svelte.spec.ts

feat(documents): explain that a date range excludes undated documents

2026-05-27 18:50:18 +02:00

DocumentList.svelte.test.ts

fix(document): fix test regressions from DocumentListItem migration

2026-05-22 19:19:28 +02:00

DropZone.svelte

refactor: move lib-root files to lib/shared/ and finalize domain structure

2026-05-05 14:53:31 +02:00

DropZone.svelte.spec.ts

test(dropzone): replace setTimeout flake with vi.waitFor + hoisted mock

2026-04-20 22:42:23 +02:00

DropZone.svelte.test.ts

test(routes): rewrite DropZone test with behavioral assertions

2026-05-11 21:50:28 +02:00

error.svelte.test.ts

feat(observability): guard navigator.clipboard and handle rejection in copyId

2026-05-17 10:24:35 +02:00

layout.css

feat(stammbaum): render generation gutter on the family tree (#689)

2026-05-28 15:49:23 +02:00

layout.svelte.spec.ts

fix(tests): use native element clicks in layout dropdown spec

2026-05-14 11:07:22 +02:00

page.server.spec.ts

test(dashboard): add missing tag tree mock to recentDocs reader test

2026-05-25 19:45:28 +02:00

page.svelte.spec.ts

feat(dashboard): wire ReaderHeaderBar, grid content row, delete ReaderStatsStrip (#483)

2026-05-08 17:13:00 +02:00

page.svelte.test.ts

test(routes): convert 3 .not.toThrow in home page to main/h1 assertions

2026-05-11 21:50:28 +02:00

SearchFilterBar.svelte

fix(documents): give the undated count chip a self-describing a11y name

2026-05-27 19:54:48 +02:00

SearchFilterBar.svelte.spec.ts

feat(documents): show global undated count chip on the filter toggle

2026-05-27 19:42:57 +02:00

UserMenu.svelte

refactor: move shared utilities to lib/shared/ sub-packages

2026-05-05 14:35:15 +02:00

UserMenu.svelte.test.ts

test: cover DashboardFamilyPulse and UserMenu branches

2026-05-11 21:50:28 +02:00