LotusGuild/tinker_tickets
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: CSRF token staleness causing intermittent 403 on POST actions

Browse Source 
Root cause: bootstrap.php rotates the CSRF token on every successful POST,
but most API endpoints called echo json_encode() directly instead of
apiRespond() — so the rotated token was never returned to the client.
The next POST from the same page sent the now-invalid old token → 403.
Refreshing the page loaded a fresh token, making it work once.

Fixes:
- assign_ticket.php, watch_ticket.php: switch to apiRespond()
- saved_filters.php, user_preferences.php: replace all echo json_encode
  calls with apiRespond() (19 and 12 call sites respectively)
- base.js: both apiFetch() and _apiFetchAuth() now update window.CSRF_TOKEN
  whenever a response includes a csrf_token field, keeping the client
  permanently in sync with server-side rotations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-03-30 19:01:18 -04:00
parent a89095cbcc
commit cfb88d9c88
5 changed files with 36 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/js/base.js
+2
View File
@@ -466,6 +466,7 @@
let data;
try { data = await resp.json(); } catch (_) { data = { success: resp.ok }; }
if (!resp.ok) throw new Error(data.error || data.message || 'HTTP ' + resp.status);
if (data && data.csrf_token) global.CSRF_TOKEN = data.csrf_token;
return data;
}
@@ -2702,6 +2703,7 @@
let data;
try { data = await resp.json(); } catch (_) { data = { success: resp.ok }; }
if (!resp.ok) throw new Error(data.error || data.message || 'HTTP ' + resp.status);
if (data && data.csrf_token) global.CSRF_TOKEN = data.csrf_token;
return data;
}
api.get = url => _apiFetchAuth('GET', url);