feat: implement comprehensive CSRF protection

2026-01-16 22:12:08 +01:00 · 2025-07-11 18:06:51 +02:00
parent e7818f5e4f
commit 3e9e75e854
44 changed files with 14964 additions and 6413 deletions
--- a/lib/trpc-client.ts
+++ b/lib/trpc-client.ts
@ -9,6 +9,7 @@ import { httpBatchLink } from "@trpc/client";
 import { createTRPCNext } from "@trpc/next";
 import superjson from "superjson";
 import type { AppRouter } from "@/server/routers/_app";
+import { CSRFClient } from "./csrf";

 function getBaseUrl() {
  if (typeof window !== "undefined") {
@ -54,10 +55,25 @@ export const trpc = createTRPCNext<AppRouter>({
           * @link https://trpc.io/docs/v10/header
           */
          headers() {
-            return {
-              // Include credentials for authentication
+            const headers: Record<string, string> = {};
+
+            // Add CSRF token for state-changing operations
+            const csrfToken = CSRFClient.getToken();
+            if (csrfToken) {
+              headers["x-csrf-token"] = csrfToken;
+            }
+
+            return headers;
+          },
+
+          /**
+           * Custom fetch implementation to include credentials
+           */
+          fetch(url, options) {
+            return fetch(url, {
+              ...options,
              credentials: "include",
-            };
+            });
          },
        }),
      ],