klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2025-11-04 02:53:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enable csrf tokens on API routes

Browse Source 
* Upgrade openapi-ts
* Migrate openapi-ts settings to new version
* Add csrf token to headers of all API calls
* Force csrf token authentication on API routes
This commit is contained in:
Antoine Bartuccio
2025-03-03 13:33:58 +01:00
parent b3f67657d7
commit fe417b0c29
5 changed files with 49 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
openapi-csrf.ts Normal file
View File

@@ -0,0 +1,9 @@
import Cookies from "js-cookie";
import type { CreateClientConfig } from "#openapi";
export const createClientConfig: CreateClientConfig = (config) => ({
...config,
headers: {
"X-CSRFToken": Cookies.get("csrftoken"),
},
});

15
openapi-ts.config.ts
View File

@@ -4,7 +4,18 @@ import { defineConfig } from "@hey-api/openapi-ts";
// biome-ignore lint/style/noDefaultExport: needed for openapi-ts
export default defineConfig({
client: "@hey-api/client-fetch",
input: resolve(__dirname, "./staticfiles/generated/openapi/schema.json"),
output: resolve(__dirname, "./staticfiles/generated/openapi"),
output: {
lint: "biome",
format: "biome",
path: resolve(__dirname, "./staticfiles/generated/openapi"),
},
plugins: [
{
name: "@hey-api/client-fetch",
baseUrl: false,
runtimeConfigPath: "./openapi-csrf.ts",
exportFromIndex: true,
},
],
});

36
package-lock.json generated
View File

@@ -16,7 +16,7 @@
"@fullcalendar/daygrid": "^6.1.15",
"@fullcalendar/icalendar": "^6.1.15",
"@fullcalendar/list": "^6.1.15",
"@hey-api/client-fetch": "^0.6.0",
"@hey-api/client-fetch": "^0.8.2",
"@sentry/browser": "^8.34.0",
"@zip.js/zip.js": "^2.7.52",
"3d-force-graph": "^1.73.4",
@@ -31,6 +31,7 @@
"htmx.org": "^2.0.3",
"jquery": "^3.7.1",
"jquery-ui": "^1.14.0",
"js-cookie": "^3.0.5",
"native-file-system-adapter": "^3.0.1",
"three": "^0.172.0",
"three-spritetext": "^1.9.0",
@@ -40,7 +41,7 @@
"@babel/core": "^7.25.2",
"@babel/preset-env": "^7.25.4",
"@biomejs/biome": "1.9.4",
"@hey-api/openapi-ts": "^0.61.3",
"@hey-api/openapi-ts": "^0.64.0",
"@rollup/plugin-inject": "^5.0.5",
"@types/alpinejs": "^3.13.10",
"@types/jquery": "^3.5.31",
@@ -2207,18 +2208,18 @@
}
},
"node_modules/@hey-api/client-fetch": {
"version": "0.6.0",
"resolved": "https://registry.npmjs.org/@hey-api/client-fetch/-/client-fetch-0.6.0.tgz",
"integrity": "sha512-FlhFsVeH8RxJe/nq8xUzxNbiOpe+GadxlD2pfvDyOyLdCTU4o/LRv46ZVWstaW7DgF4nxhI328chy3+AulwVXw==",
"version": "0.8.2",
"resolved": "https://registry.npmjs.org/@hey-api/client-fetch/-/client-fetch-0.8.2.tgz",
"integrity": "sha512-61T4UGfAzY5345vMxWDX8qnSTNRJcOpWuZyvNu3vNebCTLPwMQAM85mhEuBoACdWeRtLhNoUjU0UR5liRyD1bA==",
"license": "MIT",
"funding": {
"url": "https://github.com/sponsors/hey-api"
}
},
"node_modules/@hey-api/json-schema-ref-parser": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/@hey-api/json-schema-ref-parser/-/json-schema-ref-parser-1.0.1.tgz",
"integrity": "sha512-dBt0A7op9kf4BcK++x6HBYDmvCvnJUZEGe5QytghPFHnMXPyKwDKomwL/v5e9ERk6E0e1GzL/e/y6pWUso9zrQ==",
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/@hey-api/json-schema-ref-parser/-/json-schema-ref-parser-1.0.2.tgz",
"integrity": "sha512-F6LSkttZcT/XiX3ydeDqTY3uRN3BLJMwyMTk4kg/ichZlKUp3+3Odv0WokSmXGSoZGTW/N66FROMYAm5NPdJlA==",
"dev": true,
"license": "MIT",
"dependencies": {
@@ -2234,13 +2235,13 @@
}
},
"node_modules/@hey-api/openapi-ts": {
"version": "0.61.3",
"resolved": "https://registry.npmjs.org/@hey-api/openapi-ts/-/openapi-ts-0.61.3.tgz",
"integrity": "sha512-Ls9MBRa5+vg7UHw6fIcfdgcCyZ9vKtRw63nWxwF9zjJIPlzVOZO6xKuzGmDc6o0Pb6XCdTz6lPV5hcV0R4b/ag==",
"version": "0.64.8",
"resolved": "https://registry.npmjs.org/@hey-api/openapi-ts/-/openapi-ts-0.64.8.tgz",
"integrity": "sha512-ytPt/k+ecK7zcpxVocPWzD1bKn98a+9WDK8eJITvbOEkvYsWlozAPO63tQg+65Qpl2pr37025fEo8YcX+DPhBQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@hey-api/json-schema-ref-parser": "1.0.1",
"@hey-api/json-schema-ref-parser": "1.0.2",
"c12": "2.0.1",
"commander": "13.0.0",
"handlebars": "4.7.8"
@@ -2249,7 +2250,7 @@
"openapi-ts": "bin/index.cjs"
},
"engines": {
"node": "^18.20.5 || ^20.11.1 || >=22.11.0"
"node": "^18.18.0 || ^20.9.0 || >=22.10.0"
},
"funding": {
"url": "https://github.com/sponsors/hey-api"
@@ -4295,6 +4296,15 @@
"jquery": ">=1.12.0 <5.0.0"
}
},
"node_modules/js-cookie": {
"version": "3.0.5",
"resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.5.tgz",
"integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==",
"license": "MIT",
"engines": {
"node": ">=14"
}
},
"node_modules/js-tokens": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",

5
package.json
View File

@@ -26,7 +26,7 @@
"@babel/core": "^7.25.2",
"@babel/preset-env": "^7.25.4",
"@biomejs/biome": "1.9.4",
"@hey-api/openapi-ts": "^0.61.3",
"@hey-api/openapi-ts": "^0.64.0",
"@rollup/plugin-inject": "^5.0.5",
"@types/alpinejs": "^3.13.10",
"@types/jquery": "^3.5.31",
@@ -42,7 +42,7 @@
"@fullcalendar/daygrid": "^6.1.15",
"@fullcalendar/icalendar": "^6.1.15",
"@fullcalendar/list": "^6.1.15",
"@hey-api/client-fetch": "^0.6.0",
"@hey-api/client-fetch": "^0.8.2",
"@sentry/browser": "^8.34.0",
"@zip.js/zip.js": "^2.7.52",
"3d-force-graph": "^1.73.4",
@@ -57,6 +57,7 @@
"htmx.org": "^2.0.3",
"jquery": "^3.7.1",
"jquery-ui": "^1.14.0",
"js-cookie": "^3.0.5",
"native-file-system-adapter": "^3.0.1",
"three": "^0.172.0",
"three-spritetext": "^1.9.0",

2
sith/urls.py
View File

@@ -27,7 +27,7 @@ handler403 = "core.views.forbidden"
handler404 = "core.views.not_found"
handler500 = "core.views.internal_servor_error"
api = NinjaExtraAPI(version="0.2.0", urls_namespace="api")
api = NinjaExtraAPI(version="0.2.0", urls_namespace="api", csrf=True)
api.auto_discover_controllers()
urlpatterns = [