CSRF implementation on server helpers

2026-02-08 10:33:01 +00:00 · 2026-01-09 05:34:48 +00:00
parent f7d4d6212d
commit e074500a77
13 changed files with 66 additions and 26 deletions
--- a/packages/frontend/src/lib/server/issue/byProject.ts
+++ b/packages/frontend/src/lib/server/issue/byProject.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function byProject({
@@ -12,7 +12,7 @@ export async function byProject({
    url.searchParams.set("projectId", `${projectId}`);

    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/issue/create.ts
+++ b/packages/frontend/src/lib/server/issue/create.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function create({
@@ -20,8 +20,13 @@ export async function create({
    if (description.trim() !== "") url.searchParams.set("description", description.trim());
    if (assigneeId != null) url.searchParams.set("assigneeId", `${assigneeId}`);

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {
--- a/packages/frontend/src/lib/server/issue/update.ts
+++ b/packages/frontend/src/lib/server/issue/update.ts
@@ -1,4 +1,4 @@
-import { getAuthHeaders, getServerURL } from "@/lib/utils";
+import { getCsrfToken, getServerURL } from "@/lib/utils";
 import type { ServerQueryInput } from "..";

 export async function update({
@@ -22,8 +22,13 @@ export async function update({
        url.searchParams.set("assigneeId", assigneeId === null ? "null" : `${assigneeId}`);
    }

+    const csrfToken = getCsrfToken();
+    const headers: HeadersInit = {};
+    if (csrfToken) headers["X-CSRF-Token"] = csrfToken;
+
    const res = await fetch(url.toString(), {
-        headers: getAuthHeaders(),
+        headers,
+        credentials: "include",
    });

    if (!res.ok) {