fix: send csrf token for staff check-in

2026-04-30 13:40:09 +02:00
parent d6d83fbb07
commit b8d2dade40
2 changed files with 29 additions and 4 deletions
--- a/frontend/src/app/pages/check-in-placeholder-page.component.ts
+++ b/frontend/src/app/pages/check-in-placeholder-page.component.ts
@@ -170,7 +170,7 @@ type BarcodeDetectorConstructor = new (options?: { formats?: string[] }) => Barc
            <p class="error-message" aria-live="assertive">This reservation is already checked in.</p>
          }
          @if (state() === 'unauthorized') {
-            <p class="error-message" aria-live="assertive">You are not authorized. Log into <code>/admin</code> with a staff account, then retry this check-in.</p>
+            <p class="error-message" aria-live="assertive">You are not authorized. Log into <code>/admin</code> with a staff account, let the page reload with that session, then retry this check-in.</p>
          }
          @if (state() === 'error') {
            <p class="error-message" aria-live="assertive">Something went wrong. Please try again.</p>
--- a/frontend/src/app/services/shows-api.service.ts
+++ b/frontend/src/app/services/shows-api.service.ts
@@ -1,5 +1,5 @@
 import { inject, Injectable } from '@angular/core';
-import { HttpClient } from '@angular/common/http';
+import { HttpClient, HttpHeaders } from '@angular/common/http';
 import { Observable } from 'rxjs';

 import { API_BASE_URL } from './api-config.token';
@@ -118,7 +118,7 @@ export class ShowsApiService {
    return this.http.post<CheckInPreviewResponse>(
      `${this.apiBaseUrl}/check-ins/preview/`,
      { token },
-      { withCredentials: true },
+      this.buildStaffRequestOptions(),
    );
  }

@@ -126,7 +126,32 @@ export class ShowsApiService {
    return this.http.post<CheckInConfirmResponse>(
      `${this.apiBaseUrl}/check-ins/confirm/`,
      { token },
-      { withCredentials: true },
+      this.buildStaffRequestOptions(),
    );
  }
+
+  private buildStaffRequestOptions(): { headers?: HttpHeaders; withCredentials: true } {
+    const csrfToken = this.readCookie('csrftoken');
+
+    return {
+      withCredentials: true,
+      headers: csrfToken ? new HttpHeaders({ 'X-CSRFToken': csrfToken }) : undefined,
+    };
+  }
+
+  private readCookie(name: string): string {
+    if (typeof document === 'undefined' || !document.cookie) {
+      return '';
+    }
+
+    const cookiePrefix = `${name}=`;
+    for (const cookie of document.cookie.split(';')) {
+      const trimmedCookie = cookie.trim();
+      if (trimmedCookie.startsWith(cookiePrefix)) {
+        return decodeURIComponent(trimmedCookie.slice(cookiePrefix.length));
+      }
+    }
+
+    return '';
+  }
 }