Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(csrf): override fetch to handle requests with CSRF token #1014

Merged
merged 1 commit into from
Oct 16, 2024
Merged

fix(csrf): override fetch to handle requests with CSRF token #1014

merged 1 commit into from
Oct 16, 2024
+47 −0

Conversation

Fallenbagel
Copy link
Owner

@Fallenbagel Fallenbagel commented Oct 16, 2024
edited
Loading

Description

During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This PR overrides fetch to ensure that the CSRF token is included in all requests.

@M0NsTeRRR thanks for helping me debug and find a solution!

Screenshot (if UI-related)

To-Dos

  • Successful build pnpm build
  • Translation keys pnpm i18n:extract
  • Database migration (if required)

Issues Fixed or Closed

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 16, 2024
View reviewed changes
src/utils/apiFetch.ts Fixed Show fixed Hide fixed
@Fallenbagel
Copy link
Owner Author

@all-contributors please add @M0NsTeRRR for security

@allcontributors allcontributors bot mentioned this pull request Oct 16, 2024
Merged
@allcontributors AllContributors
Copy link
Contributor

@Fallenbagel

I've put up a pull request to add @M0NsTeRRR! 🎉

Fallenbagel
Fallenbagel commented Oct 16, 2024
View reviewed changes
src/utils/apiFetch.ts Outdated Show resolved Hide resolved
@Fallenbagel
fix: fetch override to attach XSRF token to fix csrfProtection issue
eba009d 
During the migration from Axios to fetch, we overlooked the fact that Axios automatically handled
CSRF tokens, while fetch does not. When CSRF protection was turned on, requests were failing with an
"invalid CSRF token" error for users accessing the app even via HTTPS. This commit
overrides fetch to ensure that the CSRF token is included in all requests.

fix #1011
@Fallenbagel Fallenbagel changed the title fix(csrf): add a custom fetch utility to handle requests with CSRF token fix(csrf): override fetch to handle requests with CSRF token Oct 16, 2024
gauthier-th
gauthier-th approved these changes Oct 16, 2024
View reviewed changes
Copy link
Collaborator

@gauthier-th gauthier-th left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Fallenbagel Fallenbagel merged commit 4945b54 into develop Oct 16, 2024
8 checks passed
@Fallenbagel Fallenbagel deleted the fix-csrf-protection branch October 16, 2024 23:25
@Fallenbagel
Copy link
Owner Author

🎉 This PR is included in version 2.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@M0NsTeRRR M0NsTeRRR M0NsTeRRR left review comments

@gauthier-th gauthier-th gauthier-th approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug] CSRF Validation broken since 2.0.0
3 participants
@Fallenbagel @gauthier-th @M0NsTeRRR