fix: resolve iOS forbidden errors by delivering CSRF token in response body

iOS Safari (especially PWA/standalone mode) unreliably exposes cookies via document.cookie, causing CSRF token mismatch on state-changing requests. The CSRF token is now included in /auth/login and /auth/me response bodies and stored in-memory on the client. Cookie remains as fallback. Retry mechanism also improved to read token from response body and handle expired sessions.
2026-04-14 18:53:42 +02:00
parent b152d0e53f
commit 44d1b88e3d
4 changed files with 25 additions and 5 deletions
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [0.19.4] - 2026-04-14
+
+### Fixed
+- iOS: persistent "forbidden" (403) errors caused by iOS Safari/PWA not reliably exposing CSRF cookie via `document.cookie`. CSRF token is now returned in the response body of `/auth/login` and `/auth/me` and stored in-memory, bypassing cookie read issues entirely. Cookie is still set as fallback.
+- CSRF retry: `/auth/me` refresh now reads the token from the response body instead of relying on the cookie being available. Also handles expired sessions (401) during retry instead of silently failing.
+
 ## [0.19.3] - 2026-04-14

 ### Added
@@ -1,6 +1,6 @@
 {
  "name": "oikos",
-  "version": "0.19.3",
+  "version": "0.19.4",
  "description": "Self-hosted family planner - calendar, tasks, shopping, meal planning, budget and more. Private, open-source, no subscription.",
  "main": "server/index.js",
  "type": "module",
@@ -6,8 +6,12 @@

 const API_BASE = '/api/v1';

-/** Liest den CSRF-Token aus dem Cookie (gesetzt vom Server nach Login). */
+/** In-Memory CSRF-Token (zuverlaessiger als document.cookie auf iOS Safari/PWA). */
+let _csrfToken = '';
+
+/** Liest den CSRF-Token: bevorzugt In-Memory, Fallback auf Cookie. */
 function getCsrfToken() {
+  if (_csrfToken) return _csrfToken;
  return document.cookie.split(';')
    .map((c) => c.trim())
    .find((c) => c.startsWith('csrf-token='))
@@ -46,14 +50,23 @@ async function apiFetch(path, options = {}, _retried = false) {
  }

  // CSRF-Token-Desync (haeufig nach iOS-PWA-Resume): einmal GET /auth/me
-  // ausfuehren um den CSRF-Cookie zu erneuern, dann den Request wiederholen.
+  // ausfuehren um den CSRF-Token zu erneuern, dann den Request wiederholen.
  if (response.status === 403 && stateChanging && !_retried) {
-    await fetch(`${API_BASE}/auth/me`, { credentials: 'same-origin', cache: 'no-store' });
+    const meRes = await fetch(`${API_BASE}/auth/me`, { credentials: 'same-origin', cache: 'no-store' });
+    if (meRes.status === 401) {
+      window.dispatchEvent(new CustomEvent('auth:expired'));
+      throw new Error('Sitzung abgelaufen.');
+    }
+    const meData = await meRes.json().catch(() => null);
+    if (meData?.csrfToken) _csrfToken = meData.csrfToken;
    return apiFetch(path, options, true);
  }

  const data = await response.json().catch(() => null);

+  // CSRF-Token aus Response-Body extrahieren (zuverlaessiger als Cookie auf iOS)
+  if (data?.csrfToken) _csrfToken = data.csrfToken;
+
  if (!response.ok) {
    const message = data?.error || `HTTP ${response.status}`;
    throw new ApiError(message, response.status, data);
@@ -209,6 +209,7 @@ router.post('/login', loginLimiter, async (req, res) => {
          avatar_color: user.avatar_color,
          role: user.role,
        },
+        csrfToken: req.session.csrfToken,
      });
    });
  } catch (err) {
@@ -260,7 +261,7 @@ router.get('/me', requireAuth, (req, res) => {
      maxAge: 1000 * 60 * 60 * 24 * 7,
    });

-    res.json({ user });
+    res.json({ user, csrfToken: req.session.csrfToken });
  } catch (err) {
    log.error('/me Fehler:', err);
    res.status(500).json({ error: 'Interner Serverfehler.', code: 500 });