Skip to content

Change barcode scan form to use requestSubmit() to fix CSRF token error #1191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jbtronics merged 1 commit into from
Jan 18, 2026
Merged

Change barcode scan form to use requestSubmit() to fix CSRF token error #1191

jbtronics merged 1 commit into from
Jan 18, 2026

Conversation

@swdee
Copy link
Contributor

@swdee swdee commented Jan 15, 2026
edited
Loading

On the Label Scanner page I have developed scanning of LCSC barcodes. During testing the redirect to the Part page was not working and I was getting CSRF token errors and the request failing with a HTTP 422 error.

I noticed that the CSRF Token value being sent on the form submission had the placeholder text scan_dialog[_token] csrf-token , so the token itself was not being generated and submitted.

In the assets/controllers/csrf_protection_controller.js file it specifically states;

// Generate and double-submit a CSRF token in a form field and a cookie, as defined by Symfony's SameOriginCsrfTokenManager
// Use `form.requestSubmit()` to ensure that the submit event is triggered. Using `form.submit()` will not trigger the event
// and thus this event-listener will not be executed.

Sure enough the Label Scanner form submission was using form.submit() and not the required form.requestSubmit(). This PR patches that bug so CSRF token is now correctly generated on form submission.

I further note that this bug maybe present else where in the code as a grep shows;

$ rg -n "\.submit\(\)|requestSubmit\(" -S assets/controllers

assets/controllers/csrf_protection_controller.js
5:// Use `form.requestSubmit()` to ensure that the submit event is triggered. Using `form.submit()` will not trigger the event

assets/controllers/pages/barcode_scan_controller.js
73:        document.getElementById('scan_dialog_form').submit();

assets/controllers/helpers/form_cleanup_controller.js
65:        form.submit();

assets/controllers/elements/part_search_controller.js
122:                input.form.requestSubmit();

assets/controllers/elements/datatables/parts_controller.js
143:        //We need to do this that way, as we need the submitter info, just calling form.submit() would not work

The other possible bug is in the assets/controllers/helpers/form_cleanup_controller.js file, but as I am not sure which part of the code this effects, I have not proposed a change here. However that could be the failure for other CSRF issues in #911 and #1095

@swdee swdee mentioned this pull request Jan 17, 2026
Open
@jbtronics jbtronics merged commit 131023d into Part-DB:master Jan 18, 2026
@jbtronics
Copy link
Member

jbtronics commented Jan 18, 2026

Thanks.

I do not think that these issues are related to this however. For very large forms, you will run into the variable limit of PHP and then the csfr field is not submitted properly.

jbtronics added a commit that referenced this pull request Jan 18, 2026
@jbtronics
Use requestSubmit() in form cleanup controller to avoid CSFR issues
09cc2ba 
See #1191
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swdee @jbtronics