Marcel 902f855bd0 fix(csrf): send X-XSRF-TOKEN on all client-side mutating fetch calls ...

hooks.server.ts already forwards the CSRF token for server-side fetch
(form actions, load). Client-side XHR calls bypassed it, causing Spring
Security to return 403 before PermissionAspect even ran.

Adds getCsrfToken/withCsrf/makeCsrfFetch to cookies.ts.
useTranscriptionBlocks wraps its injectable fetchImpl with makeCsrfFetch
(covers all block mutations and saveBlockWithConflictRetry).
useBlockAutoSave, TranscriptionEditView, BulkDocumentEditLayout,
OcrTrainingCard, and SegmentationTrainingCard apply withCsrf inline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 20:10:12 +02:00

..

__meta__

test(meta): add duplicate-id vi.mock detector under __meta__/

2026-05-13 08:06:14 +02:00

lib

fix(csrf): send X-XSRF-TOKEN on all client-side mutating fetch calls

2026-05-20 20:10:12 +02:00

routes

fix(notification): address review suggestions

2026-05-20 07:31:26 +02:00

app.d.ts

feat(observability): add App.Error interface with errorId to app.d.ts

2026-05-17 09:40:12 +02:00

app.html

feat(nav): add ThemeToggle component with moon/sun icons and no-flash script

2026-03-25 13:47:56 +01:00

hooks.client.test.ts

test(observability): add hooks.client.test.ts unit tests for handleError callback

2026-05-17 10:25:30 +02:00

hooks.client.ts

refactor(observability): lower trace sample rate, add DSN comment, improve status visibility

2026-05-17 10:27:01 +02:00

hooks.server.test.ts

test(auth): userGroup hook redirect + cookie cleanup coverage

2026-05-17 22:50:41 +02:00

hooks.server.ts

fix(auth): tighten API URL match, add Retry-After header, and add missing tests

2026-05-19 09:23:01 +02:00

hooks.ts

restructure: flatten workspace nesting, move devcontainer to root

2026-03-15 11:47:58 +01:00

test-setup.ts

test(setup): also disable data-sveltekit-preload-code in browser tests

2026-05-12 22:32:03 +02:00