fix: CSRF token staleness causing intermittent 403 on POST actions
Root cause: bootstrap.php rotates the CSRF token on every successful POST, but most API endpoints called echo json_encode() directly instead of apiRespond() — so the rotated token was never returned to the client. The next POST from the same page sent the now-invalid old token → 403. Refreshing the page loaded a fresh token, making it work once. Fixes: - assign_ticket.php, watch_ticket.php: switch to apiRespond() - saved_filters.php, user_preferences.php: replace all echo json_encode calls with apiRespond() (19 and 12 call sites respectively) - base.js: both apiFetch() and _apiFetchAuth() now update window.CSRF_TOKEN whenever a response includes a csrf_token field, keeping the client permanently in sync with server-side rotations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -56,12 +56,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$count = (int)$countStmt->get_result()->fetch_assoc()['cnt'];
|
||||
$countStmt->close();
|
||||
|
||||
echo json_encode([
|
||||
apiRespond([
|
||||
'success' => true,
|
||||
'watching' => $action === 'watch',
|
||||
'watcher_count' => $count,
|
||||
]);
|
||||
exit;
|
||||
}
|
||||
|
||||
// GET — return current watch state for this user
|
||||
|
||||
Reference in New Issue
Block a user