@autumnsgrove/groveengine 0.4.10 → 0.4.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/utils/api.d.ts +5 -0
- package/dist/utils/api.js +32 -3
- package/package.json +1 -1
package/dist/utils/api.d.ts
CHANGED
|
@@ -2,6 +2,11 @@
|
|
|
2
2
|
* Client-side API utility with automatic CSRF token injection
|
|
3
3
|
* Provides fetch wrapper with security headers and error handling
|
|
4
4
|
*/
|
|
5
|
+
/**
|
|
6
|
+
* Get CSRF token from cookie or meta tag
|
|
7
|
+
* @returns {string|null} CSRF token or null if not found
|
|
8
|
+
*/
|
|
9
|
+
export function getCSRFToken(): string | null;
|
|
5
10
|
/**
|
|
6
11
|
* Fetch wrapper with automatic CSRF token injection
|
|
7
12
|
* @param {string} url - API endpoint URL
|
package/dist/utils/api.js
CHANGED
|
@@ -3,6 +3,26 @@
|
|
|
3
3
|
* Provides fetch wrapper with security headers and error handling
|
|
4
4
|
*/
|
|
5
5
|
|
|
6
|
+
/**
|
|
7
|
+
* Get CSRF token from cookie or meta tag
|
|
8
|
+
* @returns {string|null} CSRF token or null if not found
|
|
9
|
+
*/
|
|
10
|
+
export function getCSRFToken() {
|
|
11
|
+
if (typeof document === "undefined") return null; // SSR safety
|
|
12
|
+
|
|
13
|
+
// Try cookie first
|
|
14
|
+
const cookieToken = document.cookie
|
|
15
|
+
.split("; ")
|
|
16
|
+
.find((row) => row.startsWith("csrf_token="))
|
|
17
|
+
?.split("=")[1];
|
|
18
|
+
|
|
19
|
+
if (cookieToken) return cookieToken;
|
|
20
|
+
|
|
21
|
+
// Fallback to meta tag
|
|
22
|
+
const metaTag = document.querySelector('meta[name="csrf-token"]');
|
|
23
|
+
return metaTag?.getAttribute("content") || null;
|
|
24
|
+
}
|
|
25
|
+
|
|
6
26
|
/**
|
|
7
27
|
* Fetch wrapper with automatic CSRF token injection
|
|
8
28
|
* @param {string} url - API endpoint URL
|
|
@@ -11,20 +31,22 @@
|
|
|
11
31
|
* @throws {Error} If request fails
|
|
12
32
|
*/
|
|
13
33
|
export async function apiRequest(url, options = {}) {
|
|
14
|
-
const csrfToken =
|
|
34
|
+
const csrfToken = getCSRFToken();
|
|
35
|
+
const method = options.method?.toUpperCase() || "GET";
|
|
36
|
+
const isStateMutating = ["POST", "PUT", "DELETE", "PATCH"].includes(method);
|
|
15
37
|
|
|
16
38
|
// Debug logging
|
|
17
39
|
if (typeof console !== "undefined" && process.env.NODE_ENV !== "production") {
|
|
18
40
|
console.debug("[apiRequest]", {
|
|
19
41
|
url,
|
|
42
|
+
method,
|
|
20
43
|
csrfToken: csrfToken ? "present" : "missing",
|
|
44
|
+
isStateMutating,
|
|
21
45
|
});
|
|
22
46
|
}
|
|
23
47
|
|
|
24
48
|
// Build headers - don't set Content-Type for FormData (browser sets it with boundary)
|
|
25
49
|
const headers = {
|
|
26
|
-
...(csrfToken && { "X-CSRF-Token": csrfToken }),
|
|
27
|
-
...(csrfToken && { "csrf-token": csrfToken }), // fallback header
|
|
28
50
|
...options.headers,
|
|
29
51
|
};
|
|
30
52
|
|
|
@@ -33,9 +55,16 @@ export async function apiRequest(url, options = {}) {
|
|
|
33
55
|
headers["Content-Type"] = "application/json";
|
|
34
56
|
}
|
|
35
57
|
|
|
58
|
+
// Add CSRF token for state-changing requests
|
|
59
|
+
if (isStateMutating && csrfToken) {
|
|
60
|
+
headers["X-CSRF-Token"] = csrfToken;
|
|
61
|
+
headers["csrf-token"] = csrfToken; // fallback header
|
|
62
|
+
}
|
|
63
|
+
|
|
36
64
|
const response = await fetch(url, {
|
|
37
65
|
...options,
|
|
38
66
|
headers,
|
|
67
|
+
credentials: "include", // Include cookies
|
|
39
68
|
});
|
|
40
69
|
|
|
41
70
|
if (!response.ok) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@autumnsgrove/groveengine",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.11",
|
|
4
4
|
"description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
|
|
5
5
|
"author": "AutumnsGrove",
|
|
6
6
|
"license": "MIT",
|