diana.dolgolyova/blackheart-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add CSRF protection for admin API routes

Browse Source 
Double-submit cookie pattern: login sets bh-csrf-token cookie,
proxy.ts validates X-CSRF-Token header on POST/PUT/DELETE to /api/admin/*.
New adminFetch() helper in src/lib/csrf.ts auto-includes the header.
All admin pages migrated from fetch() to adminFetch().

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Diana Dolgolyova
2026-03-17 17:53:02 +03:00
parent 3ac6a4d840
commit 6cbdba2197
12 changed files with 161 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/app/admin/news/page.tsx
View File

@@ -5,6 +5,7 @@ import { SectionEditor } from "../_components/SectionEditor";
import { InputField, TextareaField } from "../_components/FormField";
import { ArrayEditor } from "../_components/ArrayEditor";
import { Upload, Loader2, ImageIcon, X } from "lucide-react";
import { adminFetch } from "@/lib/csrf";
import type { NewsItem } from "@/types/content";
interface NewsData {
@@ -30,7 +31,7 @@ function ImageUploadField({
formData.append("file", file);
formData.append("folder", "news");
try {
const res = await fetch("/api/admin/upload", {
const res = await adminFetch("/api/admin/upload", {
method: "POST",
body: formData,
});