[688] Embed potential cross site forgery token while uploading files

Bug: #688 Signed-off-by: Stéphane Bégaudeau <stephane.begaudeau@obeo.fr>
eclipse-sirius · Aug 13, 2021 · 2025fef · 2025fef
1 parent f500f97
commit 2025fef
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/frontend/src/common/sendFile.ts b/frontend/src/common/sendFile.ts
@@ -23,12 +23,33 @@ export const sendFile = async (query: string, variables: any, file: File) => {
   formData.append('map', JSON.stringify({ '0': 'variables.file' }));
   formData.append('0', file);
 
+  const csrfToken = getCookie('XSRF-TOKEN');
+
   const response = await fetch(`${httpOrigin}/api/graphql/upload`, {
     method: 'POST',
     body: formData,
     credentials: 'include',
     mode: 'cors',
+    headers: {
+      'X-XSRF-TOKEN': csrfToken,
+    },
   });
 
   return await response.json();
 };
+
+const getCookie = (name: string): string => {
+  let cookieValue: string = null;
+  if (document.cookie && document.cookie !== '') {
+    const cookies = document.cookie.split(';');
+    for (let i = 0; i < cookies.length; i++) {
+      const cookie = cookies[i].trim();
+      // Does this cookie string begin with the name we want?
+      if (cookie.substring(0, name.length + 1) === name + '=') {
+        cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+        break;
+      }
+    }
+  }
+  return cookieValue;
+};