Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: send csrf token when submitting a rpc2.0 call #714

Merged
merged 7 commits into from
Jan 17, 2024
Merged

chore: send csrf token when submitting a rpc2.0 call #714

merged 7 commits into from
Jan 17, 2024

Conversation

muellerdemos
Copy link
Contributor

@muellerdemos muellerdemos commented Jan 17, 2024
edited
Loading

Description

  • This PR is the front-end part of enabling x-csrf-token as header which was mainly introduced to prevent the purple error messages about missing csrf tokens when loading addons on various areas of dplan

Linked PRs:

demos-europe/demosplan-core#2586

Important:

Before removing the hidden input field throughout dplan this PR needs to be merged first and a new release is needed

Velimir Müller added 2 commits January 17, 2024 17:05
chore: send csrf token when submitting a rpc2.0 call
7ed2523 
- mainly to prevent the purple error messages about missing csrf tokens when loading addons
chore: fix linting
44e456c
@muellerdemos muellerdemos self-assigned this Jan 17, 2024
@muellerdemos muellerdemos mentioned this pull request Jan 17, 2024
Merged
@muellerdemos muellerdemos marked this pull request as ready for review January 17, 2024 16:51
mussbach
mussbach reviewed Jan 17, 2024
View reviewed changes
src/lib/DpApi.js Outdated
}
}

const apiDefaultHeaders = {
'X-JWT-Authorization': 'Bearer ' + jwtToken
'X-JWT-Authorization': 'Bearer ' + jwtToken,
'X-Csrf-Token': csrfToken
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better use small caps like x-csrf-token for new headers as they should be only small chars in http2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah thanks, indeed i remember the slack discussion. done here 6432cf4

mussbach
mussbach approved these changes Jan 17, 2024
View reviewed changes
Copy link
Contributor

@mussbach mussbach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thx

@muellerdemos muellerdemos merged commit e0e40a3 into main Jan 17, 2024
1 check passed
@muellerdemos muellerdemos deleted the chore_enable_csrf_token_in_rpc2.0_calls branch January 17, 2024 17:08
spiess-demos
spiess-demos reviewed Jan 17, 2024
View reviewed changes
src/lib/DpApi.js
}
}

const apiDefaultHeaders = {
'X-JWT-Authorization': 'Bearer ' + jwtToken
'X-JWT-Authorization': 'Bearer ' + jwtToken,
'x-csrf-token': csrfToken
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is the new header only added to apiDefaultHeaders, not api2defaultHeaders (which is used on all 2.0 routes)?

CHANGELOG.md
@@ -4,6 +4,10 @@ Since v0.0.10, this Changelog is formatted according to the [Common Changelog][c

## UNRELEASED

### Added

- ([#714](https://github.com/demos-europe/demosplan-ui/pull/714/files)) add csrf token to dpRpc to prevent missing csrf errors ([@muellerdemos](https://github.com/muellerdemos))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in fact this adds the headers to both dpApi and dpRpc calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiess-demos spiess-demos spiess-demos left review comments

@mussbach mussbach mussbach approved these changes

Assignees

@muellerdemos muellerdemos

Labels
review:frontend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@muellerdemos @spiess-demos @mussbach