From cf18c33147830849a968d28473c78665c4bf5025 Mon Sep 17 00:00:00 2001
From: Mark Patton <mark.patton@gmail.com>
Date: Mon, 3 Jun 2024 10:10:25 -0400
Subject: [PATCH] Make sure CSRF token is added to headers

---
 app/adapters/application.js            | 10 +++++++---
 app/adapters/file.js                   |  4 ++++
 app/components/workflow-files/index.js |  7 ++++++-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/app/adapters/application.js b/app/adapters/application.js
index be72c52a..aa21f67c 100644
--- a/app/adapters/application.js
+++ b/app/adapters/application.js
@@ -2,6 +2,7 @@ import JSONAPIAdapter from '@ember-data/adapter/json-api';
 import { camelize } from '@ember/string';
 import ENV from 'pass-ui/config/environment';
 import { inject as service } from '@ember/service';
+import { get } from '@ember/object';
 
 /**
  * PASS specific extensions for Ember Data's JSON:API adapter
@@ -11,9 +12,12 @@ export default class ApplicationAdapter extends JSONAPIAdapter {
 
   namespace = ENV.passApi.namespace;
 
-  headers = {
-    withCredentials: true,
-  };
+  get headers() {
+    return {
+      withCredentials: true,
+      'X-XSRF-TOKEN': document.cookie.match(/XSRF-TOKEN\=([^;]*)/)['1'],
+    };
+  }
 
   // Camel case instead of pluralize model types for our API
   pathForType(type) {
diff --git a/app/adapters/file.js b/app/adapters/file.js
index 9667ae1c..2cc4bdaf 100644
--- a/app/adapters/file.js
+++ b/app/adapters/file.js
@@ -22,6 +22,10 @@ export default class FileAdapter extends ApplicationAdapter {
     }
     return fetch(url, {
       method: 'DELETE',
+      credentials: 'same-origin',
+      headers: {
+        'X-XSRF-TOKEN': document.cookie.match(/XSRF-TOKEN\=([^;]*)/)['1'],
+      },
     }).then((response) => {
       if (!response.ok) {
         throw new Error('Delete request to the file service failed');
diff --git a/app/components/workflow-files/index.js b/app/components/workflow-files/index.js
index 3964895f..805ae49f 100644
--- a/app/components/workflow-files/index.js
+++ b/app/components/workflow-files/index.js
@@ -97,7 +97,12 @@ export default class WorkflowFiles extends Component {
   @action
   async uploadFile(FileUpload) {
     try {
-      const response = await FileUpload.upload(ENV.fileServicePath);
+      const response = await FileUpload.upload(ENV.fileServicePath, {
+        withCredentials: true,
+        headers: {
+          'X-XSRF-TOKEN': document.cookie.match(/XSRF-TOKEN\=([^;]*)/)['1'],
+        },
+      });
 
       const file = await response.json();