From 8008aba4503bf8ba8e7bc9e1ff5318a075fd0411 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 16 Jan 2022 16:10:55 +0100 Subject: [PATCH] web: directly read csrf token before injecting into request Signed-off-by: Jens Langhammer --- web/src/api/Config.ts | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/web/src/api/Config.ts b/web/src/api/Config.ts index 5f45e404c..802984ccd 100644 --- a/web/src/api/Config.ts +++ b/web/src/api/Config.ts @@ -1,4 +1,4 @@ -import { Config, Configuration, CoreApi, CurrentTenant, Middleware, ResponseContext, RootApi } from "@goauthentik/api"; +import { Config, Configuration, CoreApi, CurrentTenant, FetchParams, Middleware, RequestContext, ResponseContext, RootApi } from "@goauthentik/api"; import { getCookie } from "../utils"; import { APIMiddleware } from "../elements/notifications/APIDrawer"; import { MessageMiddleware } from "../elements/messages/Middleware"; @@ -50,27 +50,21 @@ export function tenant(): Promise { return globalTenantPromise; } -let csrfToken = getCookie("authentik_csrf"); - -export class CSRFUpdaterMiddleware implements Middleware { - post?(context: ResponseContext): Promise { - const newCsrf = getCookie("authentik_csrf"); - if (newCsrf !== csrfToken) { - console.log("authentik/api: rotated CSRF token"); - csrfToken = newCsrf; - } - return Promise.resolve(context.response); +export class CSRFMiddleware implements Middleware { + pre?(context: RequestContext): Promise { + // @ts-ignore + context.init.headers["X-CSRFToken"] = getCookie("authentik_csrf"); + return Promise.resolve(context); } } export const DEFAULT_CONFIG = new Configuration({ basePath: process.env.AK_API_BASE_PATH + "/api/v3", headers: { - "X-CSRFToken": csrfToken, "sentry-trace": getMetaContent("sentry-trace") || "", }, middleware: [ - new CSRFUpdaterMiddleware(), + new CSRFMiddleware(), new APIMiddleware(), new MessageMiddleware(), new LoggingMiddleware(),