Security fixes (#8081)

* use safeloader * use json responses wherever possible * remove CORS and add CSRF token * formatting fixes * add envjs back * fix baseurl test
2023-10-06 22:20:30 -05:00
parent 9a4f970337
commit 14d2b79c72
24 changed files with 1357 additions and 488 deletions
--- a/web/src/api/tests/index.test.jsx
+++ b/web/src/api/tests/index.test.jsx
@@ -18,6 +18,6 @@ describe('useApiHost', () => {
        <Test />
      </ApiProvider>
    );
-    expect(screen.queryByText('http://base-url.local:5000/')).toBeInTheDocument();
+    expect(screen.queryByText('http://localhost:3000/')).toBeInTheDocument();
  });
 });
--- a/web/src/api/baseUrl.js
+++ b/web/src/api/baseUrl.js
@@ -1,2 +1 @@
-import { API_HOST } from '../env';
-export const baseUrl = API_HOST || `${window.location.protocol}//${window.location.host}${window.baseUrl || '/'}`;
+export const baseUrl = `${window.location.protocol}//${window.location.host}${window.baseUrl || '/'}`;
--- a/web/src/api/index.jsx
+++ b/web/src/api/index.jsx
@@ -5,6 +5,9 @@ import { WsProvider } from './ws';
 import axios from 'axios';

 axios.defaults.baseURL = `${baseUrl}api/`;
+axios.defaults.headers.common = {
+  'X-CSRF-TOKEN': 1,
+};

 export function ApiProvider({ children, options }) {
  return (