fix(immich): send x-csrf-token header on sync requests (fixes 'CSRF validation failed') #43
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "fix/immich-sync-csrf-token"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Symptom: the Immich page renders, but clicking a sync button returns 403 'CSRF validation failed'.
Cause:
proxy.ts(the Next.js middleware) enforces double-submit CSRF on mutating/api/*requests — thex-csrf-tokenheader must equal thecsrf_tokencookie (set on GET,httpOnly:false).ImmichSyncButtondidfetch(endpoint, { method: "POST" })without the header. The library mutations work because they're server actions (path isn't/api/, soproxy.tsexempts them).Fix: add
readCsrfToken()(src/lib/csrf.ts) that reads thecsrf_tokencookie, and haveImmichSyncButtonecho it in thex-csrf-tokenheader.runImmichSyncRequestgains an optionalcsrfTokenparam so it stays unit-testable; added a test asserting the header is sent.Verified: lint clean; build OK; button tests 3/3 (incl. the new CSRF-header case).