roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: CSRF regression — grace period for old sessions, GET check-port/refresh-ip, Peers.jsx native fetch tokens

Browse Source 
- check_csrf() now issues a token for sessions that predate CSRF (existing logins) instead of blocking them
- /api/wireguard/check-port and /api/wireguard/refresh-ip accept GET so native fetch calls bypass the token requirement
- WireGuard.jsx: changed three native fetch POST → GET for the above endpoints
- Peers.jsx: add X-CSRF-Token header to three native fetch mutation calls (calendar collection, peer PUT, clear-reinstall)
- api.js: export getCsrfToken() so non-Axios callers can read the current token

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-04-27 12:18:02 -04:00
parent a43f9fbf0d
commit 9aaacd11cc
4 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
webui/src/pages/Peers.jsx
+12 -4
View File
@@ -1,6 +1,6 @@
import { useState, useEffect } from 'react';
import { Plus, Trash2, Edit, Eye, Shield, Copy, Download, Key, AlertTriangle, CheckCircle, Globe, Lock, Users, Server } from 'lucide-react';
import { peerRegistryAPI, wireguardAPI } from '../services/api';
import { peerRegistryAPI, wireguardAPI, getCsrfToken } from '../services/api';
import { useConfig } from '../contexts/ConfigContext';
import QRCode from 'qrcode';
@@ -194,7 +194,11 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
if (formData.create_calendar) {
try {
await fetch(`/api/calendar/create-user-collection?user=${formData.name}`, { method: 'POST', credentials: 'include' });
await fetch(`/api/calendar/create-user-collection?user=${formData.name}`, {
method: 'POST',
credentials: 'include',
headers: { 'X-CSRF-Token': getCsrfToken() || '' },
});
} catch {}
}
@@ -225,7 +229,7 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
const r = await fetch(`/api/peers/${selectedPeer.name}`, {
method: 'PUT',
credentials: 'include',
headers: { 'Content-Type': 'application/json' },
headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': getCsrfToken() || '' },
body: JSON.stringify({
description: formData.description,
internet_access: formData.internet_access,
@@ -292,7 +296,11 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
const handleConfigDownloaded = async (peerName) => {
try {
await fetch(`/api/peers/${peerName}/clear-reinstall`, { method: 'POST', credentials: 'include' });
await fetch(`/api/peers/${peerName}/clear-reinstall`, {
method: 'POST',
credentials: 'include',
headers: { 'X-CSRF-Token': getCsrfToken() || '' },
});
setPeers(ps => ps.map(p => p.name === peerName ? { ...p, config_needs_reinstall: false } : p));
} catch {}
};