Fix CSRF token parsing in config export/import (related to #646)
The config backup export and import functions were incorrectly parsing
the CSRF token from cookies, causing "Export requires authentication"
errors even when users were properly logged in.
Two issues were fixed:
1. Cookie parsing used `.split('=')[1]` which truncated tokens containing
`=` padding characters (common in base64 tokens). Fixed by using
`.split('=').slice(1).join('=')` to preserve the full value.
2. Missing URL decoding of the cookie value. Browsers percent-encode
cookie values, so `=` becomes `%3D`. The backend then failed to match
the encoded token hash. Fixed by adding `decodeURIComponent()`.
Both fixes mirror the pattern already used in apiClient.ts.
This commit is contained in:
parent
5ec2947d86
commit
8dad0872ae
1 changed files with 10 additions and 6 deletions
|
|
@ -1924,10 +1924,12 @@ const Settings: Component<SettingsProps> = (props) => {
|
|||
|
||||
try {
|
||||
// Get CSRF token from cookie
|
||||
const csrfToken = document.cookie
|
||||
const csrfCookie = document.cookie
|
||||
.split('; ')
|
||||
.find((row) => row.startsWith('pulse_csrf='))
|
||||
?.split('=')[1];
|
||||
.find((row) => row.startsWith('pulse_csrf='));
|
||||
const csrfToken = csrfCookie
|
||||
? decodeURIComponent(csrfCookie.split('=').slice(1).join('='))
|
||||
: undefined;
|
||||
|
||||
const headers: HeadersInit = {
|
||||
'Content-Type': 'application/json',
|
||||
|
|
@ -2051,10 +2053,12 @@ const Settings: Component<SettingsProps> = (props) => {
|
|||
}
|
||||
|
||||
// Get CSRF token from cookie
|
||||
const csrfToken = document.cookie
|
||||
const csrfCookie = document.cookie
|
||||
.split('; ')
|
||||
.find((row) => row.startsWith('pulse_csrf='))
|
||||
?.split('=')[1];
|
||||
.find((row) => row.startsWith('pulse_csrf='));
|
||||
const csrfToken = csrfCookie
|
||||
? decodeURIComponent(csrfCookie.split('=').slice(1).join('='))
|
||||
: undefined;
|
||||
|
||||
const headers: HeadersInit = {
|
||||
'Content-Type': 'application/json',
|
||||
|
|
|
|||
Loading…
Reference in a new issue