frontend/src/api/csrf.ts

/**
 * Module-level CSRF token holder.
 *
 * The token is populated by SessionProvider after a successful GET /api/session.
 * The fetch client middleware reads it on every non-GET/HEAD request.
 *
 * Per the project CSRF contract (m2-frontend-v2.md §3.2, orchestrator-decisions.md §3):
 * - Server checks presence/non-empty only, does NOT validate the value.
 * - Sending an empty-string or stale value will result in a 403; callers must
 *   ensure setCsrfToken() is called before issuing write requests.
 */

let _csrfToken = ''

/** Store the CSRF token returned by GET /api/session. */
export function setCsrfToken(token: string): void {
  _csrfToken = token
}

/** Return the current CSRF token (may be empty string if not yet set). */
export function getCsrfToken(): string {
  return _csrfToken
}
M2-T06: scaffold React SPA frontend with typed OpenAPI client 2026-06-13 09:52:56 +02:00			`/**`
			`* Module-level CSRF token holder.`
			`*`
			`* The token is populated by SessionProvider after a successful GET /api/session.`
			`* The fetch client middleware reads it on every non-GET/HEAD request.`
			`*`
			`* Per the project CSRF contract (m2-frontend-v2.md §3.2, orchestrator-decisions.md §3):`
			`* - Server checks presence/non-empty only, does NOT validate the value.`
			`* - Sending an empty-string or stale value will result in a 403; callers must`
			`* ensure setCsrfToken() is called before issuing write requests.`
			`*/`

			`let _csrfToken = ''`

			`/** Store the CSRF token returned by GET /api/session. */`
			`export function setCsrfToken(token: string): void {`
			`_csrfToken = token`
			`}`

			`/** Return the current CSRF token (may be empty string if not yet set). */`
			`export function getCsrfToken(): string {`
			`return _csrfToken`
			`}`