sami7777/dashcaddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: service edit, CSRF token stability, and license restore (v1.1.1)

Browse Source 
- Fix service edit double-write bug (was creating duplicate entries)
- Add editable display name field to service edit modal
- Backend update endpoint now accepts name, logo, and recalculates url
- Fix CSRF token regeneration breaking all POST requests (nonce was
  being regenerated on every request, invalidating cached tokens)
- CSRF nonce now persists across requests, rotated only on TOTP login
- Frontend secureFetch auto-retries on CSRF failure with fresh token
- Restore lifetime license activation on DNS2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Sami
2026-03-23 13:39:05 -07:00
parent 263b090769
commit b4022288dc
9 changed files with 122 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
status/js/core/service-crud.js
View File

@@ -10,7 +10,7 @@
const modal = document.getElementById('service-edit-modal');
document.getElementById('service-edit-title').textContent = `Edit ${service.name}`;
document.getElementById('edit-service-name-display').textContent = service.name;
document.getElementById('edit-service-name').value = service.name;
document.getElementById('edit-service-url-display').textContent = service.url || buildServiceUrl(service.id);
document.getElementById('edit-service-logo-preview').src = service.logo || `/assets/${service.id}.png`;
document.getElementById('edit-subdomain').value = service.id;
@@ -31,6 +31,7 @@
if (!currentEditService) return;
const newSubdomain = document.getElementById('edit-subdomain').value.trim().toLowerCase();
const newName = document.getElementById('edit-service-name').value.trim();
const newPort = document.getElementById('edit-port').value.trim();
const newIp = document.getElementById('edit-ip').value.trim() || 'localhost';
const tailscaleOnly = document.getElementById('edit-tailscale-only').checked;
@@ -45,10 +46,11 @@
const changes = [];
if (newSubdomain !== oldSubdomain) changes.push('subdomain');
if (newName && newName !== currentEditService.name) changes.push('name');
if (newPort && newPort !== String(currentEditService.port)) changes.push('port');
if (newIp !== currentEditService.ip) changes.push('ip');
if (tailscaleOnly !== (currentEditService.tailscaleOnly || false)) changes.push('tailscale');
if (newLogo !== currentEditService.logo) changes.push('logo');
if (newLogo && newLogo !== currentEditService.logo) changes.push('logo');
if (changes.length === 0) {
closeServiceEditModal();
@@ -60,31 +62,32 @@
saveBtn.disabled = true;
try {
if (changes.includes('subdomain') || changes.includes('port') || changes.includes('ip') || changes.includes('tailscale')) {
const response = await secureFetch('/api/v1/services/update', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
oldSubdomain,
newSubdomain,
port: newPort || currentEditService.port,
ip: newIp,
tailscaleOnly
})
});
const response = await secureFetch('/api/v1/services/update', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
oldSubdomain,
newSubdomain,
name: newName || currentEditService.name,
port: newPort || currentEditService.port,
ip: newIp,
tailscaleOnly,
logo: newLogo || undefined
})
});
const result = await response.json();
if (!result.success) {
throw new Error(result.error || 'Failed to update service');
}
const result = await response.json();
if (!result.success) {
throw new Error(result.error || 'Failed to update service');
}
// Update local APPS array
// Update local APPS array to match
const appIndex = window.APPS.findIndex(a => a.id === oldSubdomain);
if (appIndex !== -1) {
window.APPS[appIndex] = {
...window.APPS[appIndex],
id: newSubdomain,
name: newName || window.APPS[appIndex].name,
port: newPort || window.APPS[appIndex].port,
ip: newIp,
tailscaleOnly,
@@ -92,27 +95,6 @@
};
}
// Update services via API
await secureFetch('/api/v1/services', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
id: newSubdomain,
name: currentEditService.name,
port: newPort || currentEditService.port,
ip: newIp,
logo: newLogo || currentEditService.logo,
tailscaleOnly,
containerId: currentEditService.containerId,
appTemplate: currentEditService.appTemplate
})
});
// If subdomain changed, remove old entry
if (newSubdomain !== oldSubdomain) {
await secureFetch(`/api/v1/services/${oldSubdomain}`, { method: 'DELETE' });
}
closeServiceEditModal();
window.buildGrid();
window.refreshAll();

11
status/js/core/service-modals.js
View File

@@ -12,12 +12,19 @@
<!-- Service Info -->
<div style="display: flex; align-items: center; gap: 12px; padding: 12px; background: var(--card-bg); border-radius: 8px;">
<img id="edit-service-logo-preview" src="" alt="" style="width: 48px; height: 48px; border-radius: 8px; object-fit: contain; background: var(--bg);" />
<div>
<div id="edit-service-name-display" style="font-weight: 600; font-size: 1.1rem;"></div>
<div style="flex: 1;">
<div id="edit-service-url-display" class="text-muted-sm"></div>
</div>
</div>
<!-- Display Name -->
<div>
<label for="edit-service-name" class="form-label-accent-sm">
Display Name
</label>
<input type="text" id="edit-service-name" class="form-input-md" placeholder="Service name shown on dashboard" />
</div>
<!-- Subdomain -->
<div>
<label for="edit-subdomain" class="form-label-accent-sm">

29
status/js/globals.js
View File

@@ -166,16 +166,18 @@ async function getCSRFToken() {
}
/**
* Secure fetch wrapper that automatically adds CSRF token to state-changing requests
* Secure fetch wrapper that automatically adds CSRF token to state-changing requests.
* If the server returns a CSRF error (403 with DC-100/DC-101), automatically
* refreshes the token and retries once.
* @param {string} url - URL to fetch
* @param {Object} options - Fetch options
* @returns {Promise<Response>} Fetch response
*/
async function secureFetch(url, options = {}) {
const method = (options.method || 'GET').toUpperCase();
const needsCsrf = !['GET', 'HEAD', 'OPTIONS'].includes(method);
// Add CSRF token for state-changing methods
if (!['GET', 'HEAD', 'OPTIONS'].includes(method)) {
if (needsCsrf) {
try {
const token = await getCSRFToken();
options.headers = {
@@ -192,7 +194,26 @@ async function secureFetch(url, options = {}) {
options = { ...options, signal: AbortSignal.timeout(15000) };
}
return fetch(url, options);
const response = await fetch(url, options);
// Auto-retry once on CSRF failure (token may have been rotated by TOTP re-auth)
if (needsCsrf && response.status === 403) {
try {
const body = await response.clone().json();
if (body.error && (body.error.includes('DC-100') || body.error.includes('DC-101'))) {
csrfToken = null; // Clear cached token
const freshToken = await getCSRFToken();
options.headers = { ...options.headers, 'X-CSRF-Token': freshToken };
// New signal for retry (old one may have been consumed)
options.signal = AbortSignal.timeout(15000);
return fetch(url, options);
}
} catch (_) {
// If clone/json fails, return original response
}
}
return response;
}
// ===== API CALL HELPERS =====

4
status/js/totp-auth.js
View File

@@ -75,6 +75,10 @@
if (data.success) {
errorEl.textContent = '';
// Update cached CSRF token from TOTP response (server rotates it on login)
if (data.csrfToken) {
csrfToken = data.csrfToken;
}
hideTotpOverlay();
// Check if redirected here from another service
const redirect = safeSessionGet('totp_redirect');