morgane/EverShelf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

Fix unauthorized errors on recipe stream and direct fetch calls.

Browse Source 
Send API token headers on generate_recipe_stream, expiry_history, and tts_proxy after security hardening.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
dadaloop82
2026-06-04 10:33:10 +00:00
parent 0d006625fd
commit a0385cfb9b
1 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/js/app.js
+18 -4
View File
@@ -8827,7 +8827,9 @@ function recalculateAddExpiry() {
async function _fetchExpiryHistoryAndUpdate(productId) { async function _fetchExpiryHistoryAndUpdate(productId) {
try { try {
const res = await fetch(`api/index.php?action=expiry_history&product_id=${encodeURIComponent(productId)}`); const res = await fetch(`api/index.php?action=expiry_history&product_id=${encodeURIComponent(productId)}`, {
headers: { ...(typeof apiAuthHeaders === 'function' ? apiAuthHeaders() : {}) },
});
const data = await res.json(); const data = await res.json();
if (data.avg_days && data.avg_days > 0 && data.count >= 1) { if (data.avg_days && data.avg_days > 0 && data.count >= 1) {
window._historyExpiryDays = data.avg_days; window._historyExpiryDays = data.avg_days;
@@ -14526,7 +14528,11 @@ async function _ttsViaProxy(req) {
// Route through server-side proxy to avoid mixed-content / CORS issues // Route through server-side proxy to avoid mixed-content / CORS issues
return fetch('api/index.php?action=tts_proxy', { return fetch('api/index.php?action=tts_proxy', {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: {
'Content-Type': 'application/json',
'X-EverShelf-Request': '1',
...(typeof apiAuthHeaders === 'function' ? apiAuthHeaders() : {}),
},
body: JSON.stringify({ body: JSON.stringify({
url: req.url, url: req.url,
method: req.method, method: req.method,
@@ -15738,7 +15744,11 @@ async function generateRecipe() {
const response = await fetch('api/index.php?action=generate_recipe_stream', { const response = await fetch('api/index.php?action=generate_recipe_stream', {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: {
'Content-Type': 'application/json',
'X-EverShelf-Request': '1',
...(typeof apiAuthHeaders === 'function' ? apiAuthHeaders() : {}),
},
body: JSON.stringify(payload) body: JSON.stringify(payload)
}); });
@@ -15746,7 +15756,11 @@ async function generateRecipe() {
const data = await response.json().catch(() => ({})); const data = await response.json().catch(() => ({}));
document.getElementById('recipe-loading').style.display = 'none'; document.getElementById('recipe-loading').style.display = 'none';
document.getElementById('recipe-ask').style.display = ''; document.getElementById('recipe-ask').style.display = '';
if (data.error === 'no_api_key') { if (response.status === 401) {
window._apiTokenRequired = true;
if (typeof _promptApiTokenIfNeeded === 'function') _promptApiTokenIfNeeded();
showToast(t('startup.token_required') || 'Token API richiesto', 'warning');
} else if (data.error === 'no_api_key') {
showToast(t('error.no_api_key'), 'warning'); showToast(t('error.no_api_key'), 'warning');
} else { } else {
showToast(data.error || t('recipes.generate_error'), 'error'); showToast(data.error || t('recipes.generate_error'), 'error');