CSRF implementation on server helpers

2026-02-07 18:23:03 +00:00 · 2026-01-09 05:34:48 +00:00
parent f7d4d6212d
commit e074500a77
13 changed files with 66 additions and 26 deletions
--- a/packages/frontend/src/lib/server/issue/byProject.ts
+++ b/packages/frontend/src/lib/server/issue/byProject.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function byProject({
@@ -12,7 +12,7 @@ export async function byProject({
    url.searchParams.set("projectId", `${projectId}`);

    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/issue/create.ts
+++ b/packages/frontend/src/lib/server/issue/create.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function create({
@@ -20,8 +20,13 @@ export async function create({
    if (description.trim() !== "") url.searchParams.set("description", description.trim());
    if (assigneeId != null) url.searchParams.set("assigneeId", `${assigneeId}`);

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/issue/update.ts
+++ b/packages/frontend/src/lib/server/issue/update.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function update({
@@ -22,8 +22,13 @@ export async function update({
        url.searchParams.set("assigneeId", assigneeId === null ? "null" : `${assigneeId}`);
    }

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/organisation/addMember.ts
+++ b/packages/frontend/src/lib/server/organisation/addMember.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function addMember({
@@ -17,9 +17,14 @@ export async function addMember({
    url.searchParams.set("userId", `${userId}`);
    url.searchParams.set("role", role);

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
        method: "POST",
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/organisation/byUser.ts
+++ b/packages/frontend/src/lib/server/organisation/byUser.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function byUser({
@@ -12,7 +12,7 @@ export async function byUser({
    url.searchParams.set("userId", `${userId}`);

    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/organisation/create.ts
+++ b/packages/frontend/src/lib/server/organisation/create.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function create({
@@ -20,8 +20,13 @@ export async function create({
    url.searchParams.set("userId", `${userId}`);
    if (description.trim() !== "") url.searchParams.set("description", description.trim());

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/organisation/members.ts
+++ b/packages/frontend/src/lib/server/organisation/members.ts
@@ -1,5 +1,5 @@
 import type { OrganisationMemberResponse } from "@issue/shared";
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function members({
@@ -13,7 +13,7 @@ export async function members({
    url.searchParams.set("organisationId", `${organisationId}`);

    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/organisation/removeMember.ts
+++ b/packages/frontend/src/lib/server/organisation/removeMember.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function removeMember({
@@ -14,9 +14,14 @@ export async function removeMember({
    url.searchParams.set("organisationId", `${organisationId}`);
    url.searchParams.set("userId", `${userId}`);

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
        method: "POST",
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/project/byOrganisation.ts
+++ b/packages/frontend/src/lib/server/project/byOrganisation.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function byOrganisation({
@@ -12,7 +12,7 @@ export async function byOrganisation({
    url.searchParams.set("organisationId", `${organisationId}`);

    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/project/create.ts
+++ b/packages/frontend/src/lib/server/project/create.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function create({
@@ -20,8 +20,13 @@ export async function create({
    url.searchParams.set("creatorId", `${creatorId}`);
    url.searchParams.set("organisationId", `${organisationId}`);

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/user/byUsername.ts
+++ b/packages/frontend/src/lib/server/user/byUsername.ts
@@ -1,5 +1,5 @@
 import type { UserRecord } from "@issue/shared";
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function byUsername({
@@ -13,7 +13,7 @@ export async function byUsername({
    url.searchParams.set("username", username);

    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/user/update.ts
+++ b/packages/frontend/src/lib/server/user/update.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function update({
@@ -20,8 +20,13 @@ export async function update({
    url.searchParams.set("password", password.trim());
    url.searchParams.set("avatarURL", avatarURL || "null");

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/user/uploadAvatar.ts
+++ b/packages/frontend/src/lib/server/user/uploadAvatar.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function uploadAvatar({
@@ -24,10 +24,15 @@ export async function uploadAvatar({
    const formData = new FormData();
    formData.append("file", file);

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(`${getServerURL()}/user/upload-avatar`, {
        method: "POST",
-        headers: getAuthHeaders(),
+        headers,
        body: formData,
+        credentials: "include",
    });

    if (!res.ok) {