Skip to content

bugfix/csrf#1495

Merged
andi34 merged 2 commits intoPhotoboothProject:devfrom
flacoonb:bugfix/csrf
Mar 26, 2026
Merged

bugfix/csrf#1495
andi34 merged 2 commits intoPhotoboothProject:devfrom
flacoonb:bugfix/csrf

Conversation

@flacoonb
Copy link
Copy Markdown
Contributor

@flacoonb flacoonb commented Mar 22, 2026

Prerequisites checklist

What is the purpose of this pull request? (put an "x" next to an item)

  • Documentation update
  • Bug fix
  • New feature
  • Other, please explain:

Fixes intermittent 403 / Invalid CSRF token on POST APIs that already use CSRF (shellCommand, capture, previewCamera, applyEffects, applyVideoEffects) by syncing the token after session drift and hardening session storage.

What changes did you make? (Give an overview)

  • api/csrf.php: JSON endpoint to read the current session CSRF token (GET, no-store).
  • assets/js/tools.js: ajaxWithCsrf (attach token, one retry after csrf.php refresh), explicit CSRF-403 detection, getRequest 403 handling; user message via csrf_session_reloading in en.json.
  • core.js, preview.js, admin/index.js: affected calls use ajaxWithCsrf instead of stale global token / raw $.ajax where needed.
  • lib/boot.php: session save path outside document root (with fallback), GC ini tweaks, cleanup of legacy var/sessions.
  • Branch includes merge from dev (resolve admin/index.js header: photoboothTools + eslint-env browser).

Is there anything you'd like reviewers to focus on?

  • Session directory permissions on real installs (/var/www/sessions or temp fallback).
  • One-time effect of deleting legacy var/sessions (users re-login).

AI used to create this Pull Request?

Yes, in part: implementation and wording were assisted; changes were reviewed and eslint-checked locally.

@andi34
Copy link
Copy Markdown
Contributor

andi34 commented Mar 22, 2026

Needs to be clean rebased on top of latest dev.l, no merge.

@flacoonb flacoonb force-pushed the bugfix/csrf branch 3 times, most recently from e3c5481 to c9fd71a Compare March 22, 2026 16:40
@flacoonb
Copy link
Copy Markdown
Contributor Author

flacoonb commented Mar 22, 2026

Needs to be clean rebased on top of latest dev.l, no merge.
👍

flacoonb added 2 commits March 26, 2026 12:54
@flacoonb
fix(csrf): stabilize token sync and harden session handling
bb3556e 
- fixes CSRF mismatches on /api/shellCommand.php, /api/previewCamera.php, and /api/capture.php
- adds /api/csrf.php endpoint to fetch the current session CSRF token
- replaces static frontend token usage with token refresh + single retry on 403
- migrates affected requests to ajaxWithCsrf (including applyEffects/applyVideoEffects)
- improves 403 handling: reload only for explicit Invalid CSRF token responses
- moves PHP session storage outside the web root and cleans up legacy public session path
- reduces token drift after session changes and prevents session file exposure
@flacoonb
fix(csrf): i18n for session reload overlay; align error log
21689e9 
- Use getTranslation('csrf_session_reloading') instead of hardcoded English.

- Log CSRF mismatch with ERROR prefix consistent with tools.js.
@andi34 andi34 merged commit e12db75 into PhotoboothProject:dev Mar 26, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flacoonb @andi34