fix: reworked csrf

2025-12-04 10:12:05 +03:00 · 2025-12-04 10:12:05 +03:00 · bd868bb724
commit bd868bb724
parent 475266eef6
16 changed files with 39 additions and 150 deletions
--- a/modules/frontend/src/App.tsx
+++ b/modules/frontend/src/App.tsx
@ -6,6 +6,10 @@ import TitlePage from "./pages/TitlePage/TitlePage";
 import { LoginPage } from "./pages/LoginPage/LoginPage";
 import { Header } from "./components/Header/Header";

+import { OpenAPI } from "./api";
+
+OpenAPI.WITH_CREDENTIALS = true
+
 const App: React.FC = () => {
  const username = localStorage.getItem("username") || undefined;
  const userId = localStorage.getItem("userId");
--- a/modules/frontend/src/api/index.ts
+++ b/modules/frontend/src/api/index.ts
@ -7,9 +7,6 @@ export { CancelablePromise, CancelError } from './core/CancelablePromise';
 export { OpenAPI } from './core/OpenAPI';
 export type { OpenAPIConfig } from './core/OpenAPI';

-export type { accessToken } from './models/accessToken';
-export type { csrfToken } from './models/csrfToken';
-export type { csrfTokenHeader } from './models/csrfTokenHeader';
 export type { cursor } from './models/cursor';
 export type { CursorObj } from './models/CursorObj';
 export type { Image } from './models/Image';
--- a/modules/frontend/src/api/models/accessToken.ts
+++ b/modules/frontend/src/api/models/accessToken.ts
@ -1,9 +0,0 @@
-/* generated using openapi-typescript-codegen -- do not edit */
-/* istanbul ignore file */
-/* tslint:disable */
-/* eslint-disable */
-/**
- * JWT access token.
- *
- */
-export type accessToken = string;
--- a/modules/frontend/src/api/models/csrfToken.ts
+++ b/modules/frontend/src/api/models/csrfToken.ts
@ -1,11 +0,0 @@
-/* generated using openapi-typescript-codegen -- do not edit */
-/* istanbul ignore file */
-/* tslint:disable */
-/* eslint-disable */
-/**
- * Anti-CSRF token (Double Submit Cookie pattern).
- * Stored in non-HttpOnly cookie, readable by JavaScript.
- * Must be echoed in `X-XSRF-TOKEN` header for state-changing requests (POST/PUT/PATCH/DELETE).
- *
- */
-export type csrfToken = string;
--- a/modules/frontend/src/api/models/csrfTokenHeader.ts
+++ b/modules/frontend/src/api/models/csrfTokenHeader.ts
@ -1,10 +0,0 @@
-/* generated using openapi-typescript-codegen -- do not edit */
-/* istanbul ignore file */
-/* tslint:disable */
-/* eslint-disable */
-/**
- * Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
- * Required for all state-changing requests (POST/PUT/PATCH/DELETE).
- *
- */
-export type csrfTokenHeader = string;
--- a/modules/frontend/src/api/services/DefaultService.ts
+++ b/modules/frontend/src/api/services/DefaultService.ts
@ -135,16 +135,12 @@ export class DefaultService {
     * Password updates must be done via the dedicated auth-service (`/auth/`).
     * Fields not provided in the request body remain unchanged.
     *
-     * @param xXsrfToken Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
-     * Required for all state-changing requests (POST/PUT/PATCH/DELETE).
-     *
     * @param userId User ID (primary key)
     * @param requestBody
     * @returns User User updated successfully. Returns updated user representation (excluding sensitive fields).
     * @throws ApiError
     */
    public static updateUser(
-        xXsrfToken: string,
        userId: number,
        requestBody: {
            /**
@ -175,9 +171,6 @@ export class DefaultService {
            path: {
                'user_id': userId,
            },
-            headers: {
-                'X-XSRF-TOKEN': xXsrfToken,
-            },
            body: requestBody,
            mediaType: 'application/json',
            errors: {
@ -316,9 +309,6 @@ export class DefaultService {
    /**
     * Update a usertitle
     * User updating title list of watched
-     * @param xXsrfToken Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
-     * Required for all state-changing requests (POST/PUT/PATCH/DELETE).
-     *
     * @param userId
     * @param titleId
     * @param requestBody
@ -326,7 +316,6 @@ export class DefaultService {
     * @throws ApiError
     */
    public static updateUserTitle(
-        xXsrfToken: string,
        userId: number,
        titleId: number,
        requestBody: {
@ -341,9 +330,6 @@ export class DefaultService {
                'user_id': userId,
                'title_id': titleId,
            },
-            headers: {
-                'X-XSRF-TOKEN': xXsrfToken,
-            },
            body: requestBody,
            mediaType: 'application/json',
            errors: {
@ -358,16 +344,12 @@ export class DefaultService {
    /**
     * Delete a usertitle
     * User deleting title from list of watched
-     * @param xXsrfToken Anti-CSRF token. Must match the `XSRF-TOKEN` cookie.
-     * Required for all state-changing requests (POST/PUT/PATCH/DELETE).
-     *
     * @param userId
     * @param titleId
     * @returns any Title successfully deleted
     * @throws ApiError
     */
    public static deleteUserTitle(
-        xXsrfToken: string,
        userId: number,
        titleId: number,
    ): CancelablePromise<any> {
@ -378,9 +360,6 @@ export class DefaultService {
                'user_id': userId,
                'title_id': titleId,
            },
-            headers: {
-                'X-XSRF-TOKEN': xXsrfToken,
-            },
            errors: {
                401: `Unauthorized — missing or invalid auth token`,
                403: `Forbidden — user not allowed to delete title`,
--- a/modules/frontend/src/components/TitleStatusControls/TitleStatusControls.tsx
+++ b/modules/frontend/src/components/TitleStatusControls/TitleStatusControls.tsx
@ -1,7 +1,7 @@
 import { useEffect, useState } from "react";
 import { DefaultService } from "../../api";
 import type { UserTitleStatus } from "../../api";
-import { useCookies } from 'react-cookie';
+// import { useCookies } from 'react-cookie';

 import {
  ClockIcon,
@ -19,8 +19,8 @@ const STATUS_BUTTONS: { status: UserTitleStatus; icon: React.ReactNode; label: s
 ];

 export function TitleStatusControls({ titleId }: { titleId: number }) {
-    const [cookies] = useCookies(['xsrf_token']);
-    const xsrfToken = cookies['xsrf_token'] || null;
+    // const [cookies] = useCookies(['xsrf_token']);
+    // const xsrfToken = cookies['xsrf_token'] || null;

    const [currentStatus, setCurrentStatus] = useState<UserTitleStatus | null>(null);
    const [loading, setLoading] = useState(false);
@ -46,7 +46,7 @@ export function TitleStatusControls({ titleId }: { titleId: number }) {
        try {
            // 1) Если кликнули на текущий статус — DELETE
            if (currentStatus === status) {
-                await DefaultService.deleteUserTitle(xsrfToken, userId, titleId);
+                await DefaultService.deleteUserTitle(userId, titleId);
                setCurrentStatus(null);
                return;
            }
@ -61,7 +61,7 @@ export function TitleStatusControls({ titleId }: { titleId: number }) {
                setCurrentStatus(added.status);
            } else {
                // уже есть запись — PATCH
-                const updated = await DefaultService.updateUserTitle(xsrfToken, userId, titleId, { status });
+                const updated = await DefaultService.updateUserTitle(userId, titleId, { status });
                setCurrentStatus(updated.status);
            }
        } finally {