Alo/animaltrack
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CSRF token to event delete fetch() call
All checks were successful
Deploy / deploy (push) Successful in 2m38s
Details

Browse Source 
The delete event functionality uses vanilla fetch() instead of HTMX,
so it wasn't getting the x-csrf-token header that the htmx:configRequest
listener adds. This caused 403 Forbidden on event deletion.

Changes:
- Made getCsrfToken() a global window function so it can be used by
  both HTMX and vanilla fetch() calls
- Added x-csrf-token header to the deleteEvent() fetch request

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Petru
2026-01-08 16:09:21 +00:00
parent cd01daec6d
commit 62cc6c07d1
2 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/animaltrack/web/templates/base.py
View File

@@ -105,15 +105,16 @@ def EventSlideOverScript(): # noqa: N802
def CsrfHeaderScript(): # noqa: N802
"""JavaScript to inject CSRF token into HTMX requests.
"""JavaScript to inject CSRF token into HTMX requests and provide global helper.
Reads the csrf_token cookie and adds it as x-csrf-token header
to all HTMX requests. This is required for POST/PUT/DELETE
requests to pass CSRF validation.
Provides a global getCsrfToken() function that reads the csrf_token cookie.
This function is used both by HTMX (via htmx:configRequest) and by any
vanilla fetch() calls that need CSRF protection.
"""
return Script("""
// Read CSRF token from cookie
function getCsrfToken() {
// Global function to read CSRF token from cookie
// Used by HTMX config and available for vanilla fetch() calls
window.getCsrfToken = function() {
var name = 'csrf_token=';
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
@@ -123,7 +124,7 @@ def CsrfHeaderScript(): # noqa: N802
}
}
return '';
}
};
// Configure HTMX to send CSRF token with all requests
document.body.addEventListener('htmx:configRequest', function(event) {

1
src/animaltrack/web/templates/event_detail.py
View File

@@ -535,6 +535,7 @@ def delete_script() -> Script:
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'x-csrf-token': getCsrfToken(),
},
body: 'reason=Deleted via UI'
});