fix: service edit, CSRF token stability, and license restore (v1.1.1)

- Fix service edit double-write bug (was creating duplicate entries) - Add editable display name field to service edit modal - Backend update endpoint now accepts name, logo, and recalculates url - Fix CSRF token regeneration breaking all POST requests (nonce was being regenerated on every request, invalidating cached tokens) - CSRF nonce now persists across requests, rotated only on TOTP login - Frontend secureFetch auto-retries on CSRF failure with fresh token - Restore lifetime license activation on DNS2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-23 13:39:05 -07:00
parent 263b090769
commit b4022288dc
9 changed files with 122 additions and 70 deletions
--- a/status/js/globals.js
+++ b/status/js/globals.js
@@ -166,16 +166,18 @@ async function getCSRFToken() {
 }

 /**
- * Secure fetch wrapper that automatically adds CSRF token to state-changing requests
+ * Secure fetch wrapper that automatically adds CSRF token to state-changing requests.
+ * If the server returns a CSRF error (403 with DC-100/DC-101), automatically
+ * refreshes the token and retries once.
 * @param {string} url - URL to fetch
 * @param {Object} options - Fetch options
 * @returns {Promise<Response>} Fetch response
 */
 async function secureFetch(url, options = {}) {
  const method = (options.method || 'GET').toUpperCase();
+  const needsCsrf = !['GET', 'HEAD', 'OPTIONS'].includes(method);

-  // Add CSRF token for state-changing methods
-  if (!['GET', 'HEAD', 'OPTIONS'].includes(method)) {
+  if (needsCsrf) {
    try {
      const token = await getCSRFToken();
      options.headers = {
@@ -192,7 +194,26 @@ async function secureFetch(url, options = {}) {
    options = { ...options, signal: AbortSignal.timeout(15000) };
  }

-  return fetch(url, options);
+  const response = await fetch(url, options);
+
+  // Auto-retry once on CSRF failure (token may have been rotated by TOTP re-auth)
+  if (needsCsrf && response.status === 403) {
+    try {
+      const body = await response.clone().json();
+      if (body.error && (body.error.includes('DC-100') || body.error.includes('DC-101'))) {
+        csrfToken = null; // Clear cached token
+        const freshToken = await getCSRFToken();
+        options.headers = { ...options.headers, 'X-CSRF-Token': freshToken };
+        // New signal for retry (old one may have been consumed)
+        options.signal = AbortSignal.timeout(15000);
+        return fetch(url, options);
+      }
+    } catch (_) {
+      // If clone/json fails, return original response
+    }
+  }
+
+  return response;
 }

 // ===== API CALL HELPERS =====