From e074500a776a72cb86e8f45023b1912b4f68342a Mon Sep 17 00:00:00 2001 From: Oliver Bryan <04oliverbryan@gmail.com> Date: Fri, 9 Jan 2026 05:34:48 +0000 Subject: [PATCH] CSRF implementation on server helpers --- packages/frontend/src/lib/server/issue/byProject.ts | 4 ++-- packages/frontend/src/lib/server/issue/create.ts | 9 +++++++-- packages/frontend/src/lib/server/issue/update.ts | 9 +++++++-- .../frontend/src/lib/server/organisation/addMember.ts | 9 +++++++-- packages/frontend/src/lib/server/organisation/byUser.ts | 4 ++-- packages/frontend/src/lib/server/organisation/create.ts | 9 +++++++-- packages/frontend/src/lib/server/organisation/members.ts | 4 ++-- .../frontend/src/lib/server/organisation/removeMember.ts | 9 +++++++-- .../frontend/src/lib/server/project/byOrganisation.ts | 4 ++-- packages/frontend/src/lib/server/project/create.ts | 9 +++++++-- packages/frontend/src/lib/server/user/byUsername.ts | 4 ++-- packages/frontend/src/lib/server/user/update.ts | 9 +++++++-- packages/frontend/src/lib/server/user/uploadAvatar.ts | 9 +++++++-- 13 files changed, 66 insertions(+), 26 deletions(-) diff --git a/packages/frontend/src/lib/server/issue/byProject.ts b/packages/frontend/src/lib/server/issue/byProject.ts index 51ca384..d3d4067 100644 --- a/packages/frontend/src/lib/server/issue/byProject.ts +++ b/packages/frontend/src/lib/server/issue/byProject.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function byProject({ @@ -12,7 +12,7 @@ export async function byProject({ url.searchParams.set("projectId", `${projectId}`); const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/issue/create.ts b/packages/frontend/src/lib/server/issue/create.ts index 0d86732..c3b46af 100644 --- a/packages/frontend/src/lib/server/issue/create.ts +++ b/packages/frontend/src/lib/server/issue/create.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function create({ @@ -20,8 +20,13 @@ export async function create({ if (description.trim() !== "") url.searchParams.set("description", description.trim()); if (assigneeId != null) url.searchParams.set("assigneeId", `${assigneeId}`); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/issue/update.ts b/packages/frontend/src/lib/server/issue/update.ts index acc698e..a0b9060 100644 --- a/packages/frontend/src/lib/server/issue/update.ts +++ b/packages/frontend/src/lib/server/issue/update.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function update({ @@ -22,8 +22,13 @@ export async function update({ url.searchParams.set("assigneeId", assigneeId === null ? "null" : `${assigneeId}`); } + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/organisation/addMember.ts b/packages/frontend/src/lib/server/organisation/addMember.ts index a686ce9..78610eb 100644 --- a/packages/frontend/src/lib/server/organisation/addMember.ts +++ b/packages/frontend/src/lib/server/organisation/addMember.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function addMember({ @@ -17,9 +17,14 @@ export async function addMember({ url.searchParams.set("userId", `${userId}`); url.searchParams.set("role", role); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { method: "POST", - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/organisation/byUser.ts b/packages/frontend/src/lib/server/organisation/byUser.ts index cbe892c..5b9fe83 100644 --- a/packages/frontend/src/lib/server/organisation/byUser.ts +++ b/packages/frontend/src/lib/server/organisation/byUser.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function byUser({ @@ -12,7 +12,7 @@ export async function byUser({ url.searchParams.set("userId", `${userId}`); const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/organisation/create.ts b/packages/frontend/src/lib/server/organisation/create.ts index 8c7656f..bba571b 100644 --- a/packages/frontend/src/lib/server/organisation/create.ts +++ b/packages/frontend/src/lib/server/organisation/create.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function create({ @@ -20,8 +20,13 @@ export async function create({ url.searchParams.set("userId", `${userId}`); if (description.trim() !== "") url.searchParams.set("description", description.trim()); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/organisation/members.ts b/packages/frontend/src/lib/server/organisation/members.ts index 76ed788..e8845f7 100644 --- a/packages/frontend/src/lib/server/organisation/members.ts +++ b/packages/frontend/src/lib/server/organisation/members.ts @@ -1,5 +1,5 @@ import type { OrganisationMemberResponse } from "@issue/shared"; -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function members({ @@ -13,7 +13,7 @@ export async function members({ url.searchParams.set("organisationId", `${organisationId}`); const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/organisation/removeMember.ts b/packages/frontend/src/lib/server/organisation/removeMember.ts index 925815f..27d8ad0 100644 --- a/packages/frontend/src/lib/server/organisation/removeMember.ts +++ b/packages/frontend/src/lib/server/organisation/removeMember.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function removeMember({ @@ -14,9 +14,14 @@ export async function removeMember({ url.searchParams.set("organisationId", `${organisationId}`); url.searchParams.set("userId", `${userId}`); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { method: "POST", - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/project/byOrganisation.ts b/packages/frontend/src/lib/server/project/byOrganisation.ts index 2c58c81..c3c0251 100644 --- a/packages/frontend/src/lib/server/project/byOrganisation.ts +++ b/packages/frontend/src/lib/server/project/byOrganisation.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function byOrganisation({ @@ -12,7 +12,7 @@ export async function byOrganisation({ url.searchParams.set("organisationId", `${organisationId}`); const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/project/create.ts b/packages/frontend/src/lib/server/project/create.ts index 8594a57..b8ee893 100644 --- a/packages/frontend/src/lib/server/project/create.ts +++ b/packages/frontend/src/lib/server/project/create.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function create({ @@ -20,8 +20,13 @@ export async function create({ url.searchParams.set("creatorId", `${creatorId}`); url.searchParams.set("organisationId", `${organisationId}`); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/user/byUsername.ts b/packages/frontend/src/lib/server/user/byUsername.ts index 3dc2cfe..d245925 100644 --- a/packages/frontend/src/lib/server/user/byUsername.ts +++ b/packages/frontend/src/lib/server/user/byUsername.ts @@ -1,5 +1,5 @@ import type { UserRecord } from "@issue/shared"; -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function byUsername({ @@ -13,7 +13,7 @@ export async function byUsername({ url.searchParams.set("username", username); const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/user/update.ts b/packages/frontend/src/lib/server/user/update.ts index 55fde0b..00713f4 100644 --- a/packages/frontend/src/lib/server/user/update.ts +++ b/packages/frontend/src/lib/server/user/update.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function update({ @@ -20,8 +20,13 @@ export async function update({ url.searchParams.set("password", password.trim()); url.searchParams.set("avatarURL", avatarURL || "null"); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(url.toString(), { - headers: getAuthHeaders(), + headers, + credentials: "include", }); if (!res.ok) { diff --git a/packages/frontend/src/lib/server/user/uploadAvatar.ts b/packages/frontend/src/lib/server/user/uploadAvatar.ts index a75b079..33cd2b5 100644 --- a/packages/frontend/src/lib/server/user/uploadAvatar.ts +++ b/packages/frontend/src/lib/server/user/uploadAvatar.ts @@ -1,4 +1,4 @@ -import { getAuthHeaders, getServerURL } from "@/lib/utils"; +import { getCsrfToken, getServerURL } from "@/lib/utils"; import type { ServerQueryInput } from ".."; export async function uploadAvatar({ @@ -24,10 +24,15 @@ export async function uploadAvatar({ const formData = new FormData(); formData.append("file", file); + const csrfToken = getCsrfToken(); + const headers: HeadersInit = {}; + if (csrfToken) headers["X-CSRF-Token"] = csrfToken; + const res = await fetch(`${getServerURL()}/user/upload-avatar`, { method: "POST", - headers: getAuthHeaders(), + headers, body: formData, + credentials: "include", }); if (!res.ok) {