Merge pull request #2441 from reecebrowne/bug/csrf-decryption-API

CSRF token for decryption
2025-02-02 00:16:34 +01:00 · 2024-12-13 20:33:03 +00:00 · 2024-12-13 20:33:03 +00:00 · 5607f7079e
commit 5607f7079e
parent 41a3d28c90 3b8723975d
1 changed files with 15 additions and 0 deletions
--- a/src/main/resources/static/js/DecryptFiles.js
+++ b/src/main/resources/static/js/DecryptFiles.js
@ -1,6 +1,20 @@
 export class DecryptFile {
  async decryptFile(file, requiresPassword) {
    try {
+      async function getCsrfToken() {
+        const cookieValue = document.cookie
+          .split('; ')
+          .find((row) => row.startsWith('XSRF-TOKEN='))
+          ?.split('=')[1];
+
+        if (cookieValue) {
+          return cookieValue;
+        }
+
+        const csrfElement = document.querySelector('input[name="_csrf"]');
+        return csrfElement ? csrfElement.value : null;
+      }
+      const csrfToken = await getCsrfToken();
      const formData = new FormData();
      formData.append('fileInput', file);
      if (requiresPassword) {
@ -29,6 +43,7 @@ export class DecryptFile {
      const response = await fetch('/api/v1/security/remove-password', {
        method: 'POST',
        body: formData,
+        headers: csrfToken ? {'X-XSRF-TOKEN': csrfToken} : undefined,
      });

      if (response.ok) {