openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve iOS forbidden errors by delivering CSRF token in response body

Browse Source 
iOS Safari (especially PWA/standalone mode) unreliably exposes cookies
via document.cookie, causing CSRF token mismatch on state-changing
requests. The CSRF token is now included in /auth/login and /auth/me
response bodies and stored in-memory on the client. Cookie remains as
fallback. Retry mechanism also improved to read token from response
body and handle expired sessions.
This commit is contained in:
Ulas
2026-04-14 18:53:42 +02:00
parent b152d0e53f
commit 44d1b88e3d
4 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/api.js
+16 -3
View File
@@ -6,8 +6,12 @@
const API_BASE = '/api/v1';
/** Liest den CSRF-Token aus dem Cookie (gesetzt vom Server nach Login). */
/** In-Memory CSRF-Token (zuverlaessiger als document.cookie auf iOS Safari/PWA). */
let _csrfToken = '';
/** Liest den CSRF-Token: bevorzugt In-Memory, Fallback auf Cookie. */
function getCsrfToken() {
if (_csrfToken) return _csrfToken;
return document.cookie.split(';')
.map((c) => c.trim())
.find((c) => c.startsWith('csrf-token='))
@@ -46,14 +50,23 @@ async function apiFetch(path, options = {}, _retried = false) {
}
// CSRF-Token-Desync (haeufig nach iOS-PWA-Resume): einmal GET /auth/me
// ausfuehren um den CSRF-Cookie zu erneuern, dann den Request wiederholen.
// ausfuehren um den CSRF-Token zu erneuern, dann den Request wiederholen.
if (response.status === 403 && stateChanging && !_retried) {
await fetch(`${API_BASE}/auth/me`, { credentials: 'same-origin', cache: 'no-store' });
const meRes = await fetch(`${API_BASE}/auth/me`, { credentials: 'same-origin', cache: 'no-store' });
if (meRes.status === 401) {
window.dispatchEvent(new CustomEvent('auth:expired'));
throw new Error('Sitzung abgelaufen.');
}
const meData = await meRes.json().catch(() => null);
if (meData?.csrfToken) _csrfToken = meData.csrfToken;
return apiFetch(path, options, true);
}
const data = await response.json().catch(() => null);
// CSRF-Token aus Response-Body extrahieren (zuverlaessiger als Cookie auf iOS)
if (data?.csrfToken) _csrfToken = data.csrfToken;
if (!response.ok) {
const message = data?.error || `HTTP ${response.status}`;
throw new ApiError(message, response.status, data);