This commit implements CSRF token support for all session-based API
requests to fix the "CSRF token missing" and "CSRF token mismatch" errors
introduced after CSRF protection was added in commit 62c4cc84.
Changes:
- Created csrfService.ts utility for fetching and caching CSRF tokens
- Added getPostHeadersWithCsrf() helper to authUtils for async token injection
- Updated all service files (*Service.ts) to include CSRF tokens in POST/PUT/PATCH/DELETE requests
- Updated components with inline fetch calls to use getCsrfToken()
- Fixed CSRF middleware to use single lusca instance instead of creating new instances per request
- Improved generateToken() to use req.csrfToken() when available
- Added CalDAV path exemption to CSRF protection
Technical details:
- CSRF tokens are fetched from /api/csrf-token endpoint
- Tokens are cached and reused across requests to avoid unnecessary fetches
- Tokens are included in x-csrf-token header for state-changing requests
- Public endpoints (login, register) remain exempt from CSRF protection
- Bearer token authentication remains exempt from CSRF protection
Files modified:
- Backend: app.js, middleware/csrf.js
- Frontend: 13 service files, 8 component files
- New file: frontend/utils/csrfService.ts
This ensures all session-based requests properly include CSRF tokens while
maintaining support for API token authentication.
* Add next suggestions and remove console logs
* Add pomodoro timer
* Add pomodoro switch in settings
* Fix pomodoro setting
* Add timezones to settings
* Fix an issue with password reset
* Cleanup
* Sort tags alphabetically
* Clean up today's view
* Add an indicator for repeatedly added to today
* Refactor tags
* Add due date today item
* Move recurrence to the subtitle area
* Fix today layout
* Add a badge to Inbox items
* Move inbox badge to sidebar
* Add quotes and progress bar
* Add translations for quotes
* Fix test issues
* Add helper script for docker local
* Set up overdue tasks
* Add linux/arm/v7 build to deploy script
* Add linux/arm/v7 build to deploy script pt2
* Fix an issue with helmet and SSL
* Add volume db persistence
* Fix cog icon issues
