feat: enhance CSRF token handling and add format=json to API requests

2025-01-06 14:49:23 -05:00
parent 128c33d9a1
commit 59b41c01df
3 changed files with 64 additions and 32 deletions
--- a/frontend/src/routes/_allauth/[...path]/+server.ts
+++ b/frontend/src/routes/_allauth/[...path]/+server.ts
@@ -12,23 +12,23 @@ export async function GET(event) {

 /** @type {import('./$types').RequestHandler} */
 export async function POST({ url, params, request, fetch, cookies }) {
-	const searchParam = url.search ? `${url.search}` : '';
-	return handleRequest(url, params, request, fetch, cookies, searchParam, false);
+	const searchParam = url.search ? `${url.search}&format=json` : '?format=json';
+	return handleRequest(url, params, request, fetch, cookies, searchParam, true);
 }

 export async function PATCH({ url, params, request, fetch, cookies }) {
-	const searchParam = url.search ? `${url.search}` : '';
-	return handleRequest(url, params, request, fetch, cookies, searchParam, false);
+	const searchParam = url.search ? `${url.search}&format=json` : '?format=json';
+	return handleRequest(url, params, request, fetch, cookies, searchParam, true);
 }

 export async function PUT({ url, params, request, fetch, cookies }) {
-	const searchParam = url.search ? `${url.search}` : '';
-	return handleRequest(url, params, request, fetch, cookies, searchParam, false);
+	const searchParam = url.search ? `${url.search}&format=json` : '?format=json';
+	return handleRequest(url, params, request, fetch, cookies, searchParam, true);
 }

 export async function DELETE({ url, params, request, fetch, cookies }) {
-	const searchParam = url.search ? `${url.search}` : '';
-	return handleRequest(url, params, request, fetch, cookies, searchParam, false);
+	const searchParam = url.search ? `${url.search}&format=json` : '?format=json';
+	return handleRequest(url, params, request, fetch, cookies, searchParam, true);
 }

 async function handleRequest(
@@ -53,18 +53,25 @@ async function handleRequest(

 	const headers = new Headers(request.headers);

+	// Delete existing csrf cookie by setting an expired date
+	cookies.delete('csrftoken', { path: '/' });
+
+	// Generate a new csrf token (using your existing fetchCSRFToken function)
 	const csrfToken = await fetchCSRFToken();
 	if (!csrfToken) {
 		return json({ error: 'CSRF token is missing or invalid' }, { status: 400 });
 	}

+	// Set the new csrf token in both headers and cookies
+	const cookieHeader = `csrftoken=${csrfToken}; Path=/; HttpOnly; SameSite=Lax`;
+
 	try {
 		const response = await fetch(targetUrl, {
 			method: request.method,
 			headers: {
 				...Object.fromEntries(headers),
 				'X-CSRFToken': csrfToken,
-				Cookie: `csrftoken=${csrfToken}`
+				Cookie: cookieHeader
 			},
 			body:
 				request.method !== 'GET' && request.method !== 'HEAD' ? await request.text() : undefined,