Enable csrf tokens on API routes

* Upgrade openapi-ts * Migrate openapi-ts settings to new version * Add csrf token to headers of all API calls * Force csrf token authentication on API routes
2025-03-09 14:57:08 +00:00 · 2025-03-03 13:33:58 +01:00 · 2025-03-03 13:33:58 +01:00 · fe417b0c29
commit fe417b0c29
parent b3f67657d7
5 changed files with 49 additions and 18 deletions
--- a/openapi-csrf.ts
+++ b/openapi-csrf.ts
@ -0,0 +1,9 @@
+import Cookies from "js-cookie";
+import type { CreateClientConfig } from "#openapi";
+
+export const createClientConfig: CreateClientConfig = (config) => ({
+  ...config,
+  headers: {
+    "X-CSRFToken": Cookies.get("csrftoken"),
+  },
+});
--- a/openapi-ts.config.ts
+++ b/openapi-ts.config.ts
@ -4,7 +4,18 @@ import { defineConfig } from "@hey-api/openapi-ts";

 // biome-ignore lint/style/noDefaultExport: needed for openapi-ts
 export default defineConfig({
-  client: "@hey-api/client-fetch",
  input: resolve(__dirname, "./staticfiles/generated/openapi/schema.json"),
-  output: resolve(__dirname, "./staticfiles/generated/openapi"),
+  output: {
+    lint: "biome",
+    format: "biome",
+    path: resolve(__dirname, "./staticfiles/generated/openapi"),
+  },
+  plugins: [
+    {
+      name: "@hey-api/client-fetch",
+      baseUrl: false,
+      runtimeConfigPath: "./openapi-csrf.ts",
+      exportFromIndex: true,
+    },
+  ],
 });
--- a/package-lock.json
+++ b/package-lock.json
@ -16,7 +16,7 @@
        "@fullcalendar/daygrid": "^6.1.15",
        "@fullcalendar/icalendar": "^6.1.15",
        "@fullcalendar/list": "^6.1.15",
-        "@hey-api/client-fetch": "^0.6.0",
+        "@hey-api/client-fetch": "^0.8.2",
        "@sentry/browser": "^8.34.0",
        "@zip.js/zip.js": "^2.7.52",
        "3d-force-graph": "^1.73.4",
@ -31,6 +31,7 @@
        "htmx.org": "^2.0.3",
        "jquery": "^3.7.1",
        "jquery-ui": "^1.14.0",
+        "js-cookie": "^3.0.5",
        "native-file-system-adapter": "^3.0.1",
        "three": "^0.172.0",
        "three-spritetext": "^1.9.0",
@ -40,7 +41,7 @@
        "@babel/core": "^7.25.2",
        "@babel/preset-env": "^7.25.4",
        "@biomejs/biome": "1.9.4",
-        "@hey-api/openapi-ts": "^0.61.3",
+        "@hey-api/openapi-ts": "^0.64.0",
        "@rollup/plugin-inject": "^5.0.5",
        "@types/alpinejs": "^3.13.10",
        "@types/jquery": "^3.5.31",
@ -2207,18 +2208,18 @@
      }
    },
    "node_modules/@hey-api/client-fetch": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/@hey-api/client-fetch/-/client-fetch-0.6.0.tgz",
-      "integrity": "sha512-FlhFsVeH8RxJe/nq8xUzxNbiOpe+GadxlD2pfvDyOyLdCTU4o/LRv46ZVWstaW7DgF4nxhI328chy3+AulwVXw==",
+      "version": "0.8.2",
+      "resolved": "https://registry.npmjs.org/@hey-api/client-fetch/-/client-fetch-0.8.2.tgz",
+      "integrity": "sha512-61T4UGfAzY5345vMxWDX8qnSTNRJcOpWuZyvNu3vNebCTLPwMQAM85mhEuBoACdWeRtLhNoUjU0UR5liRyD1bA==",
      "license": "MIT",
      "funding": {
        "url": "https://github.com/sponsors/hey-api"
      }
    },
    "node_modules/@hey-api/json-schema-ref-parser": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@hey-api/json-schema-ref-parser/-/json-schema-ref-parser-1.0.1.tgz",
-      "integrity": "sha512-dBt0A7op9kf4BcK++x6HBYDmvCvnJUZEGe5QytghPFHnMXPyKwDKomwL/v5e9ERk6E0e1GzL/e/y6pWUso9zrQ==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@hey-api/json-schema-ref-parser/-/json-schema-ref-parser-1.0.2.tgz",
+      "integrity": "sha512-F6LSkttZcT/XiX3ydeDqTY3uRN3BLJMwyMTk4kg/ichZlKUp3+3Odv0WokSmXGSoZGTW/N66FROMYAm5NPdJlA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -2234,13 +2235,13 @@
      }
    },
    "node_modules/@hey-api/openapi-ts": {
-      "version": "0.61.3",
-      "resolved": "https://registry.npmjs.org/@hey-api/openapi-ts/-/openapi-ts-0.61.3.tgz",
-      "integrity": "sha512-Ls9MBRa5+vg7UHw6fIcfdgcCyZ9vKtRw63nWxwF9zjJIPlzVOZO6xKuzGmDc6o0Pb6XCdTz6lPV5hcV0R4b/ag==",
+      "version": "0.64.8",
+      "resolved": "https://registry.npmjs.org/@hey-api/openapi-ts/-/openapi-ts-0.64.8.tgz",
+      "integrity": "sha512-ytPt/k+ecK7zcpxVocPWzD1bKn98a+9WDK8eJITvbOEkvYsWlozAPO63tQg+65Qpl2pr37025fEo8YcX+DPhBQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@hey-api/json-schema-ref-parser": "1.0.1",
+        "@hey-api/json-schema-ref-parser": "1.0.2",
        "c12": "2.0.1",
        "commander": "13.0.0",
        "handlebars": "4.7.8"
@ -2249,7 +2250,7 @@
        "openapi-ts": "bin/index.cjs"
      },
      "engines": {
-        "node": "^18.20.5 || ^20.11.1 || >=22.11.0"
+        "node": "^18.18.0 || ^20.9.0 || >=22.10.0"
      },
      "funding": {
        "url": "https://github.com/sponsors/hey-api"
@ -4295,6 +4296,15 @@
        "jquery": ">=1.12.0 <5.0.0"
      }
    },
+    "node_modules/js-cookie": {
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz",
+      "integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
    "node_modules/js-tokens": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
--- a/package.json
+++ b/package.json
@ -26,7 +26,7 @@
    "@babel/core": "^7.25.2",
    "@babel/preset-env": "^7.25.4",
    "@biomejs/biome": "1.9.4",
-    "@hey-api/openapi-ts": "^0.61.3",
+    "@hey-api/openapi-ts": "^0.64.0",
    "@rollup/plugin-inject": "^5.0.5",
    "@types/alpinejs": "^3.13.10",
    "@types/jquery": "^3.5.31",
@ -42,7 +42,7 @@
    "@fullcalendar/daygrid": "^6.1.15",
    "@fullcalendar/icalendar": "^6.1.15",
    "@fullcalendar/list": "^6.1.15",
-    "@hey-api/client-fetch": "^0.6.0",
+    "@hey-api/client-fetch": "^0.8.2",
    "@sentry/browser": "^8.34.0",
    "@zip.js/zip.js": "^2.7.52",
    "3d-force-graph": "^1.73.4",
@ -57,6 +57,7 @@
    "htmx.org": "^2.0.3",
    "jquery": "^3.7.1",
    "jquery-ui": "^1.14.0",
+    "js-cookie": "^3.0.5",
    "native-file-system-adapter": "^3.0.1",
    "three": "^0.172.0",
    "three-spritetext": "^1.9.0",
--- a/sith/urls.py
+++ b/sith/urls.py
@ -27,7 +27,7 @@ handler403 = "core.views.forbidden"
 handler404 = "core.views.not_found"
 handler500 = "core.views.internal_servor_error"

-api = NinjaExtraAPI(version="0.2.0", urls_namespace="api")
+api = NinjaExtraAPI(version="0.2.0", urls_namespace="api", csrf=True)
 api.auto_discover_controllers()

 urlpatterns = [