From 1f1c414138701a7dfe357e608bc3b6df82bc4326 Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com.>
Date: Sat, 14 Dec 2024 10:42:07 +0000
Subject: [PATCH] csrf fixes

---
 src/main/resources/static/js/downloader.js                    | 2 +-
 src/main/resources/static/js/fetch-utils.js                   | 1 -
 src/main/resources/templates/account.html                     | 4 ++--
 src/main/resources/templates/fragments/common.html            | 2 +-
 src/main/resources/templates/fragments/navbar.html            | 2 +-
 src/main/resources/templates/misc/remove-annotations.html     | 2 +-
 src/main/resources/templates/security/validate-signature.html | 2 +-
 7 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/main/resources/static/js/downloader.js b/src/main/resources/static/js/downloader.js
index 4131b49a..d7718f02 100644
--- a/src/main/resources/static/js/downloader.js
+++ b/src/main/resources/static/js/downloader.js
@@ -140,7 +140,7 @@
     let errorMessage = null;
 
     try {
-      const response = await fetch(url, {method: 'POST', body: formData});
+      const response = await window.fetchWithCsrf(url, {method: 'POST', body: formData});
       const contentType = response.headers.get('content-type');
 
       if (!response.ok) {
diff --git a/src/main/resources/static/js/fetch-utils.js b/src/main/resources/static/js/fetch-utils.js
index f92c7d9e..d606d71a 100644
--- a/src/main/resources/static/js/fetch-utils.js
+++ b/src/main/resources/static/js/fetch-utils.js
@@ -8,7 +8,6 @@ window.fetchWithCsrf = async function(url, options = {}) {
         if (cookieValue) {
             return cookieValue;
         }
-        
         const csrfElement = document.querySelector('input[name="_csrf"]');
         return csrfElement ? csrfElement.value : null;
     }
diff --git a/src/main/resources/templates/account.html b/src/main/resources/templates/account.html
index c9d08723..1e61db9d 100644
--- a/src/main/resources/templates/account.html
+++ b/src/main/resources/templates/account.html
@@ -196,7 +196,7 @@
                     /*<![CDATA[*/
                     const urlGetApiKey = /*[[@{/api/v1/user/get-api-key}]]*/ "/api/v1/user/get-api-key";
                     /*]]>*/
-                    let response = await fetch(urlGetApiKey, { method: 'POST' });
+                    let response = await window.fetchWithCsrf(urlGetApiKey, { method: 'POST' });
                     if (response.status === 200) {
                       let apiKey = await response.text();
                       manageUIState(apiKey);
@@ -213,7 +213,7 @@
                     /*<![CDATA[*/
                     const urlUpdateApiKey = /*[[@{/api/v1/user/update-api-key}]]*/ "/api/v1/user/update-api-key";
                     /*]]>*/
-                    let response = await fetch(urlUpdateApiKey, { method: 'POST' });
+                    let response = await window.fetchWithCsrf(urlUpdateApiKey, { method: 'POST' });
                     if (response.status === 200) {
                       let apiKey = await response.text();
                       manageUIState(apiKey);
diff --git a/src/main/resources/templates/fragments/common.html b/src/main/resources/templates/fragments/common.html
index f372d1dd..edbb47ab 100644
--- a/src/main/resources/templates/fragments/common.html
+++ b/src/main/resources/templates/fragments/common.html
@@ -24,7 +24,7 @@
     <script>
       window.stirlingPDF = window.stirlingPDF || {};
     </script>
-
+	<script th:src="@{'/js/fetch-utils.js'}"></script>
     <!-- jQuery -->
     <script th:src="@{'/js/thirdParty/jquery.min.js'}"></script>
     <script th:src="@{'/js/thirdParty/jquery.validate.min.js'}"></script>
diff --git a/src/main/resources/templates/fragments/navbar.html b/src/main/resources/templates/fragments/navbar.html
index 84988053..9803a9d3 100644
--- a/src/main/resources/templates/fragments/navbar.html
+++ b/src/main/resources/templates/fragments/navbar.html
@@ -14,6 +14,7 @@
   </script>
   <script th:src="@{'/js/homecard.js'}"></script>
   <script th:src="@{'/js/githubVersion.js'}"></script>
+  <form th:action="@{'/dummyFormToPopulateCSRF'}" method="post" enctype="multipart/form-data"></form>
   <nav class="navbar navbar-expand-xl">
     <div class="container ">
       <a class="navbar-brand" th:href="@{'/'}" style="display: flex;">
@@ -376,7 +377,6 @@
               <span class="go-pro-badge" th:text="#{enterpriseEdition.button}"></span>
             </a>
           </li>
-
           <li class="nav-item">
             <!-- Settings Button -->
             <a href="#" class="nav-link" data-bs-toggle="modal" data-bs-target="#settingsModal" th:title="#{navbar.settings}">
diff --git a/src/main/resources/templates/misc/remove-annotations.html b/src/main/resources/templates/misc/remove-annotations.html
index de411422..56190ed5 100644
--- a/src/main/resources/templates/misc/remove-annotations.html
+++ b/src/main/resources/templates/misc/remove-annotations.html
@@ -38,7 +38,7 @@
 
         const processFile = async (file) => {
           const origFileUrl = URL.createObjectURL(file);
-          const formPdfBytes = await fetch(origFileUrl).then(res => res.arrayBuffer());
+          const formPdfBytes = await window.fetchWithCsrf(origFileUrl).then(res => res.arrayBuffer());
           const pdfDoc = await PDFDocument.load(formPdfBytes, { ignoreEncryption: true });
 
           const pages = pdfDoc.getPages();
diff --git a/src/main/resources/templates/security/validate-signature.html b/src/main/resources/templates/security/validate-signature.html
index c2d01ec3..015f41ee 100644
--- a/src/main/resources/templates/security/validate-signature.html
+++ b/src/main/resources/templates/security/validate-signature.html
@@ -102,7 +102,7 @@ document.querySelector('#pdfForm').addEventListener('submit', async (e) => {
             formData.append('certFile', certInput.files[0]);
         }
         try {
-            const response = await fetch(e.target.action, {
+            const response = await window.fetchWithCsrf(e.target.action, {
                 method: 'POST',
                 body: formData
             });