codeforlife 2.6.5 → 2.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/package.json +1 -1
  3. package/src/api/createApi.ts +9 -2
  4. package/src/utils/api.tsx +5 -0
package/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ ## [2.6.6](https://github.com/ocadotechnology/codeforlife-package-javascript/compare/v2.6.5...v2.6.6) (2025-01-27)
2
+
3
+
4
+ ### Bug Fixes
5
+
6
+ * csrf header for non-safe http methods ([#75](https://github.com/ocadotechnology/codeforlife-package-javascript/issues/75)) ([d0b2b78](https://github.com/ocadotechnology/codeforlife-package-javascript/commit/d0b2b7852fbdc9f84ade5ec4d46cc8a980e60f1e))
7
+
1
8
  ## [2.6.5](https://github.com/ocadotechnology/codeforlife-package-javascript/compare/v2.6.4...v2.6.5) (2025-01-17)
2
9
 
3
10
 
package/package.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "name": "codeforlife",
3
3
  "description": "Common frontend code",
4
4
  "private": false,
5
- "version": "2.6.5",
5
+ "version": "2.6.6",
6
6
  "type": "module",
7
7
  "scripts": {
8
8
  "dev": "vite",
package/src/api/createApi.ts CHANGED
@@ -1,12 +1,14 @@
1
1
  import {
2
2
  createApi as _createApi,
3
3
  fetchBaseQuery,
4
+ type FetchArgs,
4
5
  } from "@reduxjs/toolkit/query/react"
5
6
 
6
7
  import { SERVICE_API_URL } from "../settings"
7
8
  import defaultTagTypes from "./tagTypes"
8
9
  import { buildLogoutEndpoint } from "./endpoints/session"
9
10
  import { getCsrfCookie } from "../utils/auth"
11
+ import { isSafeHttpMethod } from "../utils/api"
10
12
 
11
13
  // TODO: decide if we want to keep any of this.
12
14
  // export function handleResponseError(error: FetchBaseQueryError): void {
@@ -36,8 +38,13 @@ export default function createApi<TagTypes extends string = never>({
36
38
  const fetch = fetchBaseQuery({
37
39
  baseUrl: `${SERVICE_API_URL}/`,
38
40
  credentials: "include",
39
- prepareHeaders: (headers, { type }) => {
40
- if (type === "mutation") {
41
+ prepareHeaders: (headers, endpoint) => {
42
+ const { type, arg } = endpoint as typeof endpoint & {
43
+ arg: string | FetchArgs
44
+ }
45
+ const method = typeof arg === "string" ? "GET" : arg.method || "GET"
46
+
47
+ if (type === "mutation" || !isSafeHttpMethod(method)) {
41
48
  let csrfToken = getCsrfCookie()
42
49
  if (csrfToken) headers.set("x-csrftoken", csrfToken)
43
50
  }
package/src/utils/api.tsx CHANGED
@@ -325,3 +325,8 @@ export function handleResultState<QueryArg, ResultType>(
325
325
  // Have yet to call the API.
326
326
  return loadingNode
327
327
  }
328
+
329
+ export function isSafeHttpMethod(method: string) {
330
+ // https://datatracker.ietf.org/doc/html/rfc9110.html#section-9.2.1
331
+ return ["GET", "HEAD", "OPTIONS", "TRACE"].includes(method.toUpperCase())
332
+ }