Merge commit from fork

Co-authored-by: Ayushi Rathore <ayushirathore@Ayushis-MacBook-Air.local>
2026-06-28 06:55:48 +00:00 · 2026-06-21 21:04:29 +02:00
parent 0965928949
commit e125326720
4 changed files with 25 additions and 19 deletions
--- a/src/pages/deleteJob.tsx
+++ b/src/pages/deleteJob.tsx
@@ -8,7 +8,9 @@ import { Jobs } from "../db/types";

 export const deleteJob = new Elysia()
  .use(userService)
-  .get(
+  // SECURE: Use POST instead of GET for state-changing actions to prevent CSRF.
+  // Browsers automatically follow GET links, which can lead to silent data deletion.
+  .post(
    "/delete/:jobId",
    async ({ params, redirect, user }) => {
      const job = db
--- a/src/pages/history.tsx
+++ b/src/pages/history.tsx
@@ -185,15 +185,17 @@ export const history = new Elysia().use(userService).get(
                          >
                            <EyeIcon />
                          </a>
-                          <a
-                            class={`
-                              text-accent-500 underline
-                              hover:text-accent-400
-                            `}
-                            href={`${WEBROOT}/delete/${job.id}`}
-                          >
-                            <DeleteIcon />
-                          </a>
+                          <form action={`${WEBROOT}/delete/${job.id}`} method="POST" class="inline">
+                            <button
+                              type="submit"
+                              class={`
+                                text-accent-500 underline
+                                hover:text-accent-400
+                              `}
+                            >
+                              <DeleteIcon />
+                            </button>
+                          </form>
                        </td>
                      </tr>
                      <tr id={`details-${job.id}`} class="hidden">
--- a/src/pages/results.tsx
+++ b/src/pages/results.tsx
@@ -23,14 +23,16 @@ function ResultsArticle({
      <div class="mb-4 flex items-center justify-between">
        <h1 class="text-xl">Results</h1>
        <div class="flex flex-row gap-4">
-          <a
-            style={files.length !== job.num_files ? "pointer-events: none;" : ""}
-            class="flex btn-secondary flex-row gap-2 text-contrast"
-            href={`${WEBROOT}/delete/${job.id}`}
-            {...(files.length !== job.num_files ? { disabled: true, "aria-busy": "true" } : "")}
-          >
-            <DeleteIcon /> <p>Delete</p>
-          </a>
+          <form action={`${WEBROOT}/delete/${job.id}`} method="POST">
+            <button
+              type="submit"
+              style={files.length !== job.num_files ? "pointer-events: none;" : ""}
+              class="flex btn-secondary flex-row gap-2 text-contrast"
+              {...(files.length !== job.num_files ? { disabled: true, "aria-busy": "true" } : "")}
+            >
+              <DeleteIcon /> <p>Delete</p>
+            </button>
+          </form>
          <a
            style={files.length !== job.num_files ? "pointer-events: none;" : ""}
            href={`${WEBROOT}/archive/${job.id}`}