Fix CSRF bugs

src/main/java/dev/kruhlmann/imgfloat/config/SecurityConfig.java

@@ -18,6 +18,7 @@ import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfException;
 import org.springframework.security.web.csrf.CsrfFilter;
@@ -41,6 +42,9 @@ public class SecurityConfig {
         HttpSecurity http,
         OAuth2AuthorizedClientRepository authorizedClientRepository
     ) throws Exception {
+        CsrfTokenRequestAttributeHandler csrfRequestHandler = new CsrfTokenRequestAttributeHandler();
+        csrfRequestHandler.setCsrfRequestAttributeName("_csrf");
+
         http
             .authorizeHttpRequests((auth) ->
                 auth
@@ -89,6 +93,7 @@ public class SecurityConfig {
             .csrf((csrf) ->
                 csrf
                     .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                    .csrfTokenRequestHandler(csrfRequestHandler)
                     .ignoringRequestMatchers("/ws/**")
             )
             .addFilterAfter(csrfTokenCookieFilter(), CsrfFilter.class);
@@ -140,7 +145,10 @@ public class SecurityConfig {
                 HttpServletResponse response,
                 FilterChain filterChain
             ) throws java.io.IOException, jakarta.servlet.ServletException {
-                CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+                CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");
+                if (csrfToken == null) {
+                    csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+                }
                 if (csrfToken != null) {
                     String token = csrfToken.getToken();
                     Cookie existingCookie = WebUtils.getCookie(request, "XSRF-TOKEN");

src/main/resources/static/js/admin.js

@@ -438,6 +438,7 @@ function connect() {
         },
         (error) => {
             console.warn("WebSocket connection issue", error);
+            fetchAssets();
             setTimeout(
                 () => showToast("Live updates connection interrupted. Retrying may be necessary.", "warning"),
                 1000,
@@ -2086,7 +2087,7 @@ function uploadAsset(file = null) {
         return;
     }
     if (selectedFile.size > UPLOAD_LIMIT_BYTES) {
-        showToast(`File is too large. Maximum upload size is ${UPLOAD_MAX_BYTES / 1024 / 1024} MB.`, "error");
+        showToast(`File is too large. Maximum upload size is ${UPLOAD_LIMIT_BYTES / 1024 / 1024} MB.`, "error");
         return;
     }
 

src/main/resources/templates/admin.html

@@ -352,7 +352,7 @@
             const broadcaster = /*[[${broadcaster}]]*/ '';
             const username = /*[[${username}]]*/ '';
             const UPLOAD_LIMIT_BYTES = /*[[${uploadLimitBytes}]]*/ 0;
-            const SETTINGS = /*[[${settingsJson}]]*/;
+            const SETTINGS = JSON.parse(/*[[${settingsJson}]]*/);
         </script>
         <script src="/js/cookie-consent.js"></script>
         <script src="/js/toast.js"></script>