Implement CSRF protection

1 files changed, 23 insertions, 14 deletions

diff --git a/frontend/src/index.tsx b/frontend/src/index.tsx
index 4045751f..20f71766 100644
--- a/frontend/src/index.tsx
+++ b/frontend/src/index.tsx
@@ -8,24 +8,33 @@ declare global {
     importDeckyPlugin: Function;
     syncDeckyPlugins: Function;
     deckyHasLoaded: boolean;
+    deckyAuthToken: string;
   }
 }
+(async () => {
+  window.deckyAuthToken = await fetch('http://127.0.0.1:1337/auth/token').then((r) => r.text());
 
-window.DeckyPluginLoader?.dismountAll();
-window.DeckyPluginLoader?.deinit();
+  window.DeckyPluginLoader?.dismountAll();
+  window.DeckyPluginLoader?.deinit();
 
-window.DeckyPluginLoader = new PluginLoader();
-window.importDeckyPlugin = function (name: string) {
-  window.DeckyPluginLoader?.importPlugin(name);
-};
+  window.DeckyPluginLoader = new PluginLoader();
+  window.importDeckyPlugin = function (name: string) {
+    window.DeckyPluginLoader?.importPlugin(name);
+  };
 
-window.syncDeckyPlugins = async function () {
-  const plugins = await (await fetch('http://127.0.0.1:1337/plugins')).json();
-  for (const plugin of plugins) {
-    if (!window.DeckyPluginLoader.hasPlugin(plugin)) window.DeckyPluginLoader?.importPlugin(plugin);
-  }
-};
+  window.syncDeckyPlugins = async function () {
+    const plugins = await (
+      await fetch('http://127.0.0.1:1337/plugins', {
+        credentials: 'include',
+        headers: { Authentication: window.deckyAuthToken },
+      })
+    ).json();
+    for (const plugin of plugins) {
+      if (!window.DeckyPluginLoader.hasPlugin(plugin)) window.DeckyPluginLoader?.importPlugin(plugin);
+    }
+  };
 
-setTimeout(() => window.syncDeckyPlugins(), 5000);
+  setTimeout(() => window.syncDeckyPlugins(), 5000);
 
-window.deckyHasLoaded = true;
+  window.deckyHasLoaded = true;
+})();