From f4450b6a3844a41014afede4175a528c37a001d2 Mon Sep 17 00:00:00 2001
From: Sean Morley <zipsm15@gmail.com>
Date: Fri, 17 Jan 2025 16:58:08 -0500
Subject: [PATCH] fix: include Referer header in API requests

---
 frontend/src/routes/activities/+page.server.ts              | 3 ++-
 frontend/src/routes/adventures/+page.server.ts              | 3 ++-
 frontend/src/routes/adventures/[id]/+page.server.ts         | 4 +++-
 frontend/src/routes/collections/+page.server.ts             | 5 ++++-
 frontend/src/routes/collections/[id]/+page.server.ts        | 3 ++-
 frontend/src/routes/login/+page.server.ts                   | 6 ++++--
 frontend/src/routes/signup/+page.server.ts                  | 3 ++-
 frontend/src/routes/user/reset-password/+page.server.ts     | 3 ++-
 .../src/routes/user/reset-password/[key]/+page.server.ts    | 3 ++-
 9 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/frontend/src/routes/activities/+page.server.ts b/frontend/src/routes/activities/+page.server.ts
index 238e6b48..626bef81 100644
--- a/frontend/src/routes/activities/+page.server.ts
+++ b/frontend/src/routes/activities/+page.server.ts
@@ -37,7 +37,8 @@ export const actions: Actions = {
 			headers: {
 				'X-CSRFToken': csrfToken,
 				'Content-Type': 'application/json',
-				Cookie: `csrftoken=${csrfToken}`
+				Cookie: `csrftoken=${csrfToken}`,
+				Referer: event.url.origin // Include Referer header
 			}
 		});
 		console.log(res);
diff --git a/frontend/src/routes/adventures/+page.server.ts b/frontend/src/routes/adventures/+page.server.ts
index da69fdf5..a2d7ab69 100644
--- a/frontend/src/routes/adventures/+page.server.ts
+++ b/frontend/src/routes/adventures/+page.server.ts
@@ -69,7 +69,8 @@ export const actions: Actions = {
 			method: 'POST',
 			headers: {
 				Cookie: `csrftoken=${csrfToken}; sessionid=${sessionId}`,
-				'X-CSRFToken': csrfToken
+				'X-CSRFToken': csrfToken,
+				Referer: event.url.origin // Include Referer header
 			},
 			body: formData
 		});
diff --git a/frontend/src/routes/adventures/[id]/+page.server.ts b/frontend/src/routes/adventures/[id]/+page.server.ts
index bba55aa1..eed47ba5 100644
--- a/frontend/src/routes/adventures/[id]/+page.server.ts
+++ b/frontend/src/routes/adventures/[id]/+page.server.ts
@@ -66,7 +66,9 @@ export const actions: Actions = {
 		let res = await fetch(`${serverEndpoint}/api/adventures/${event.params.id}`, {
 			method: 'DELETE',
 			headers: {
-				Cookie: `sessionid=${event.cookies.get('sessionid')}; csrftoken=${csrfToken}`,
+				Referer: event.url.origin, // Include Referer header
+				Cookie: `sessionid=${event.cookies.get('sessionid')};
+				csrftoken=${csrfToken}`,
 				'X-CSRFToken': csrfToken
 			},
 			credentials: 'include'
diff --git a/frontend/src/routes/collections/+page.server.ts b/frontend/src/routes/collections/+page.server.ts
index f88e5ee4..20e2c401 100644
--- a/frontend/src/routes/collections/+page.server.ts
+++ b/frontend/src/routes/collections/+page.server.ts
@@ -96,6 +96,7 @@ export const actions: Actions = {
 			method: 'POST',
 			headers: {
 				'X-CSRFToken': csrfToken,
+				Referer: event.url.origin, // Include Referer header
 				Cookie: `sessionid=${sessionid}; csrftoken=${csrfToken}`
 			},
 			body: formDataToSend
@@ -174,9 +175,11 @@ export const actions: Actions = {
 			method: 'PATCH',
 			headers: {
 				'X-CSRFToken': csrfToken,
-				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`
+				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`,
+				Referer: event.url.origin // Include Referer header
 			},
 			body: formDataToSend,
+
 			credentials: 'include'
 		});
 
diff --git a/frontend/src/routes/collections/[id]/+page.server.ts b/frontend/src/routes/collections/[id]/+page.server.ts
index bf54a5b7..f672eedb 100644
--- a/frontend/src/routes/collections/[id]/+page.server.ts
+++ b/frontend/src/routes/collections/[id]/+page.server.ts
@@ -63,7 +63,8 @@ export const actions: Actions = {
 			headers: {
 				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`,
 				'Content-Type': 'application/json',
-				'X-CSRFToken': csrfToken
+				'X-CSRFToken': csrfToken,
+				Referer: event.url.origin // Include Referer header
 			},
 			credentials: 'include'
 		});
diff --git a/frontend/src/routes/login/+page.server.ts b/frontend/src/routes/login/+page.server.ts
index f8723ba4..b2571a18 100644
--- a/frontend/src/routes/login/+page.server.ts
+++ b/frontend/src/routes/login/+page.server.ts
@@ -46,7 +46,8 @@ export const actions: Actions = {
 			headers: {
 				'X-CSRFToken': csrfToken,
 				'Content-Type': 'application/json',
-				Cookie: `csrftoken=${csrfToken}`
+				Cookie: `csrftoken=${csrfToken}`,
+				Referer: event.url.origin // Include Referer header
 			},
 			body: JSON.stringify({ username, password }),
 			credentials: 'include'
@@ -73,7 +74,8 @@ export const actions: Actions = {
 						headers: {
 							'X-CSRFToken': csrfToken,
 							'Content-Type': 'application/json',
-							Cookie: `csrftoken=${csrfToken}; sessionid=${sessionId}`
+							Cookie: `csrftoken=${csrfToken}; sessionid=${sessionId}`,
+							Referer: event.url.origin // Include Referer header
 						},
 						body: JSON.stringify({ code: totp }),
 						credentials: 'include'
diff --git a/frontend/src/routes/signup/+page.server.ts b/frontend/src/routes/signup/+page.server.ts
index 813b4710..f9a96dc0 100644
--- a/frontend/src/routes/signup/+page.server.ts
+++ b/frontend/src/routes/signup/+page.server.ts
@@ -56,7 +56,8 @@ export const actions: Actions = {
 			headers: {
 				'X-CSRFToken': csrfToken,
 				'Content-Type': 'application/json',
-				Cookie: `csrftoken=${csrfToken}`
+				Cookie: `csrftoken=${csrfToken}`,
+				Referer: event.url.origin // Include Referer header
 			},
 			body: JSON.stringify({
 				username: username,
diff --git a/frontend/src/routes/user/reset-password/+page.server.ts b/frontend/src/routes/user/reset-password/+page.server.ts
index f91db59c..39f8232f 100644
--- a/frontend/src/routes/user/reset-password/+page.server.ts
+++ b/frontend/src/routes/user/reset-password/+page.server.ts
@@ -21,7 +21,8 @@ export const actions: Actions = {
 			headers: {
 				'Content-Type': 'application/json',
 				'X-CSRFToken': csrfToken,
-				Cookie: `csrftoken=${csrfToken}`
+				Cookie: `csrftoken=${csrfToken}`,
+				Referer: event.url.origin // Include Referer header
 			},
 			body: JSON.stringify({
 				email
diff --git a/frontend/src/routes/user/reset-password/[key]/+page.server.ts b/frontend/src/routes/user/reset-password/[key]/+page.server.ts
index 2db51f61..e2f92b7d 100644
--- a/frontend/src/routes/user/reset-password/[key]/+page.server.ts
+++ b/frontend/src/routes/user/reset-password/[key]/+page.server.ts
@@ -35,7 +35,8 @@ export const actions: Actions = {
 				headers: {
 					'Content-Type': 'application/json',
 					Cookie: `csrftoken=${csrfToken}`,
-					'X-CSRFToken': csrfToken
+					'X-CSRFToken': csrfToken,
+					Referer: event.url.origin // Include Referer header
 				},
 				method: 'POST',
 				credentials: 'include',