fix: fix csrf token handling after login

2025-04-19 00:45:17 +00:00 · 2025-03-29 17:21:54 +01:00 · 2025-03-29 17:21:54 +01:00 · 3723e4cc75
commit 3723e4cc75
parent 6cbccf6d43
2 changed files with 9 additions and 5 deletions
--- a/frontend/src/router/index.js
+++ b/frontend/src/router/index.js
@ -72,7 +72,6 @@ const router = createRouter({

 router.beforeEach(async (to) => {
  const auth = authStore()
-  const sec = securityStore()

  // check if the request was a successful oauth login
  if ('wgLoginState' in to.query && !auth.IsAuthenticated) {
@ -122,8 +121,13 @@ router.beforeEach(async (to) => {
    auth.SetReturnUrl(to.fullPath) // store original destination before starting the auth process
    return '/login'
  }
+})

-  if (publicPages.includes(to.path)) {
+router.afterEach(async (to, from) => {
+  const sec = securityStore()
+  const csrfPages = ['/login']
+
+  if (csrfPages.includes(to.path)) {
    await sec.LoadSecurityProperties() // make sure we have a valid csrf token
  }
 })
--- a/internal/app/api/core/middleware/csrf/middleware.go
+++ b/internal/app/api/core/middleware/csrf/middleware.go
@ -68,14 +68,14 @@ func (m *Middleware) RefreshToken(next http.Handler) http.Handler {

 		// mask the token
 		maskedToken := maskToken(token, key)
-
-		// store the encoded token in the session
 		encodedToken := encodeToken(maskedToken)
-		m.o.sessionWriter(r, encodedToken)

 		// pass the token down the chain via the context
 		r = r.WithContext(setToken(r.Context(), encodedToken))

+		// store the token in the session
+		m.o.sessionWriter(r, encodedToken)
+
 		next.ServeHTTP(w, r)
 	})
 }