null/BillTracker
null
/
BillTracker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity
BillTracker/client/api.js

262 lines
11 KiB
JavaScript
Raw Normal View History

push
2026-05-09 13:03:36 -05:00
// Read CSRF token from cookie
function getCsrfToken() {
if (typeof document === 'undefined') return '';
const name = 'bt_csrf_token';
const match = document.cookie.match(new RegExp(name + '=([^;]+)'));
return match ? match[1] : '';
}
initial commit
2026-05-03 19:51:57 -05:00
async function _fetch(method, path, body) {
const opts = { method, headers: { 'Content-Type': 'application/json' }, credentials: 'include' };
push
2026-05-09 13:03:36 -05:00
// Add CSRF token header for state-changing methods
if (['POST', 'PUT', 'DELETE', 'PATCH'].includes(method)) {
const csrfToken = getCsrfToken();
if (csrfToken) {
opts.headers['x-csrf-token'] = csrfToken;
}
}
initial commit
2026-05-03 19:51:57 -05:00
if (body !== undefined) opts.body = JSON.stringify(body);
const res = await fetch('/api' + path, opts);
const data = await res.json();
if (!res.ok) {
const err = new Error(data.message || data.error || `HTTP ${res.status}`);
err.status = res.status;
err.data = data;
err.details = data.details || [];
err.code = data.code;
throw err;
}
return data;
}
const get = (path) => _fetch('GET', path);
const post = (path, body) => _fetch('POST', path, body);
const put = (path, body) => _fetch('PUT', path, body);
const del = (path) => _fetch('DELETE', path);
function filenameFromDisposition(value) {
if (!value) return null;
const match = value.match(/filename="?([^"]+)"?/i);
return match ? match[1] : null;
}
export const api = {
// Auth
me: () => get('/auth/me'),
authMode: () => get('/auth/mode'),
login: (data) => post('/auth/login', data),
logout: () => post('/auth/logout'),
restoreMultiUserMode: () => post('/auth/restore-multi-user-mode'),
changePassword: (data) => post('/auth/change-password', data),
acknowledgePrivacy: () => post('/auth/acknowledge-privacy'),
// Admin
hasUsers: () => get('/admin/has-users'),
adminUsers: () => get('/admin/users'),
createUser: (data) => post('/admin/users', data),
resetPassword: (id, data) => put(`/admin/users/${id}/password`, data),
updateUserRole: (id, data) => put(`/admin/users/${id}/role`, data),
push
2026-05-04 23:34:24 -05:00
updateUserActive: (id, data) => put(`/admin/users/${id}/active`, data),
initial commit
2026-05-03 19:51:57 -05:00
deleteUser: (id) => del(`/admin/users/${id}`),
authModeConfig: () => get('/admin/auth-mode'),
setAuthMode: (data) => put('/admin/auth-mode', data),
testOidcConfig: (data) => post('/admin/auth-mode/oidc-test', data),
adminBackups: () => get('/admin/backups'),
createAdminBackup: () => post('/admin/backups'),
deleteAdminBackup: (id) => del(`/admin/backups/${encodeURIComponent(id)}`),
restoreAdminBackup: (id) => post(`/admin/backups/${encodeURIComponent(id)}/restore`),
adminBackupSettings: () => get('/admin/backups/settings'),
saveAdminBackupSettings: (data) => put('/admin/backups/settings', data),
runScheduledBackupNow: () => post('/admin/backups/run-scheduled-now'),
adminCleanup: () => get('/admin/cleanup'),
saveAdminCleanup: (data) => put('/admin/cleanup', data),
runAdminCleanup: () => post('/admin/cleanup/run'),
push
2026-05-09 13:03:36 -05:00
seedDemoData: () => post('/user/seed-demo-data'),
clearDemoData: () => post('/user/clear-demo-data'),
fix: starting amounts paid_from_other calculation + pay badge alignment on tracker
2026-05-11 15:00:35 -05:00
seededStatus: () => get('/user/seeded-status'),
initial commit
2026-05-03 19:51:57 -05:00
downloadAdminBackup: async (id) => {
const res = await fetch(`/api/admin/backups/${encodeURIComponent(id)}/download`, {
credentials: 'include',
});
if (!res.ok) {
let data = {};
try { data = await res.json(); } catch {}
throw new Error(data.error || `HTTP ${res.status}`);
}
return {
blob: await res.blob(),
filename: filenameFromDisposition(res.headers.get('Content-Disposition')) || id,
};
},
importAdminBackup: async (file) => {
const res = await fetch('/api/admin/backups/import', {
method: 'POST',
credentials: 'include',
v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed - RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs, lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints - Import CSRF fix: added x-csrf-token header to importAdminBackup, previewSpreadsheetImport, previewUserDbImport raw fetch() calls - Removed AdminDashboard.jsx, replaced by RoadmapPage - Added @radix-ui/react-collapsible + collapsible shadcn component - Security audit by Private_Hudson: PASS (CSRF fix verified, admin endpoints gated, path traversal mitigated, XSS safe)
2026-05-11 21:42:36 -05:00
headers: { 'Content-Type': 'application/octet-stream', 'x-csrf-token': getCsrfToken() },
initial commit
2026-05-03 19:51:57 -05:00
body: file,
});
const data = await res.json();
if (!res.ok) {
const err = new Error(data.message || data.error || `HTTP ${res.status}`);
err.status = res.status;
err.data = data;
err.details = data.details || [];
err.code = data.code;
throw err;
}
return data;
},
// Notifications (admin)
notifAdmin: () => get('/notifications/admin'),
saveNotifAdmin: (data) => put('/notifications/admin', data),
testEmail: (data) => post('/notifications/test', data),
notifMe: () => get('/notifications/me'),
saveNotifMe: (data) => put('/notifications/me', data),
// Profile
profile: () => get('/profile'),
updateProfile: (data) => _fetch('PATCH', '/profile', data),
profileSettings: () => get('/profile/settings'),
updateProfileSettings: (data) => _fetch('PATCH', '/profile/settings', data),
changeProfilePassword: (data) => post('/profile/change-password', data),
profileExports: () => get('/profile/exports'),
profileImportHistory: () => get('/profile/import-history'),
// Tracker
tracker: (y, m) => get(`/tracker?year=${y}&month=${m}`),
upcomingBills: (days = 30) => get(`/tracker/upcoming?days=${days}`),
calendar
2026-05-04 13:14:32 -05:00
// Calendar
calendar: (y, m) => get(`/calendar?year=${y}&month=${m}`),
init
2026-05-04 16:38:03 -05:00
// Summary
summary: (y, m) => get(`/summary?year=${y}&month=${m}`),
saveSummaryIncome: (data) => put('/summary/income', data),
push
2026-05-04 20:12:57 -05:00
getMonthlyStartingAmounts: (y, m) => get(`/monthly-starting-amounts?year=${y}&month=${m}`),
updateMonthlyStartingAmounts: (data) => put('/monthly-starting-amounts', data),
init
2026-05-04 16:38:03 -05:00
initial commit
2026-05-03 19:51:57 -05:00
// Bills
bills: () => get('/bills'),
allBills: () => get('/bills?inactive=true'),
bill: (id) => get(`/bills/${id}`),
createBill: (data) => post('/bills', data),
updateBill: (id, data) => put(`/bills/${id}`, data),
0.28.0 snowball release
2026-05-14 02:11:54 -05:00
updateBillBalance: (id, bal) => _fetch('PATCH', `/bills/${id}/balance`, { current_balance: bal }),
snowball bug fixes
2026-05-14 03:00:01 -05:00
updateBillSnowball: (id, data) => _fetch('PATCH', `/bills/${id}/snowball`, data),
initial commit
2026-05-03 19:51:57 -05:00
deleteBill: (id) => del(`/bills/${id}`),
push
2026-05-09 13:03:36 -05:00
togglePaid: (id, data) => post(`/bills/${id}/toggle-paid`, data),
initial commit
2026-05-03 19:51:57 -05:00
billPayments: (id, p, l) => get(`/bills/${id}/payments?page=${p||1}&limit=${l||20}`),
billMonthlyState: (id, y, m) => get(`/bills/${id}/monthly-state?year=${y}&month=${m}`),
saveBillMonthlyState: (id, data) => put(`/bills/${id}/monthly-state`, data),
billHistoryRanges: (id) => get(`/bills/${id}/history-ranges`),
createBillHistoryRange: (id, data) => post(`/bills/${id}/history-ranges`, data),
updateBillHistoryRange: (id, rangeId, data) => put(`/bills/${id}/history-ranges/${rangeId}`, data),
deleteBillHistoryRange: (id, rangeId) => del(`/bills/${id}/history-ranges/${rangeId}`),
// Payments
quickPay: (data) => post('/payments/quick', data),
bulkPay: (items) => post('/payments/bulk', items),
createPayment: (data) => post('/payments', data),
updatePayment: (id, data) => put(`/payments/${id}`, data),
deletePayment: (id) => del(`/payments/${id}`),
restorePayment: (id) => post(`/payments/${id}/restore`),
0.28.0 snowball release
2026-05-14 02:11:54 -05:00
// Snowball
snowball: () => get('/snowball'),
snowballSettings: () => get('/snowball/settings'),
saveSnowballSettings: (data) => _fetch('PATCH', '/snowball/settings', data),
saveSnowballOrder: (items) => _fetch('PATCH', '/snowball/order', items),
snowballProjection: () => get('/snowball/projection'),
initial commit
2026-05-03 19:51:57 -05:00
// Categories
categories: () => get('/categories'),
createCategory: (data) => post('/categories', data),
updateCategory: (id, data) => put(`/categories/${id}`, data),
deleteCategory: (id) => del(`/categories/${id}`),
// Settings
settings: () => get('/settings'),
saveSettings: (data) => put('/settings', data),
calendar
2026-05-04 13:14:32 -05:00
// Analytics
analyticsSummary: (params = {}) => {
const qs = new URLSearchParams();
Object.entries(params).forEach(([key, value]) => {
if (value !== undefined && value !== null && value !== '') qs.set(key, String(value));
});
const query = qs.toString();
return get(`/analytics/summary${query ? `?${query}` : ''}`);
},
initial commit
2026-05-03 19:51:57 -05:00
// Status
status: () => get('/status'),
// Version (public)
push
2026-05-04 20:12:57 -05:00
about: () => get('/about'),
feat: add admin about page with security hardening - Add /api/about-admin endpoint (admin-only, path traversal protection, content redaction, error sanitization) - Add /admin/about route with RequireAuth admin guard - Add adminActionLimiter rate limiting on about-admin endpoint - Add rehype-sanitize XSS prevention in AboutPage.jsx - Add aboutAdmin API client endpoint - Create HISTORY.md with version bump convention (patch/minor/major) - Update Engineering Reference Manual with about-admin docs and security measures - Add INIT_REGULAR_USER/INIT_REGULAR_PASS env vars to docs - Update FUTURE.md with critical regular user env var item
2026-05-09 16:25:12 -05:00
aboutAdmin: () => get('/about-admin'),
v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed - RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs, lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints - Import CSRF fix: added x-csrf-token header to importAdminBackup, previewSpreadsheetImport, previewUserDbImport raw fetch() calls - Removed AdminDashboard.jsx, replaced by RoadmapPage - Added @radix-ui/react-collapsible + collapsible shadcn component - Security audit by Private_Hudson: PASS (CSRF fix verified, admin endpoints gated, path traversal mitigated, XSS safe)
2026-05-11 21:42:36 -05:00
roadmap: () => get('/about-admin/roadmap'),
devLog: () => get('/about-admin/dev-log'),
initial commit
2026-05-03 19:51:57 -05:00
version: () => get('/version'),
releaseHistory: () => get('/version/history'),
// Export (returns a URL to navigate to, not a fetch)
exportUrl: (year, fmt) => `/api/export?year=${year}&format=${fmt||'csv'}`,
// Spreadsheet Import
previewSpreadsheetImport: async (file, options = {}) => {
const params = new URLSearchParams();
if (options.parseAllSheets) params.set('parse_all_sheets', 'true');
if (options.defaultYear) params.set('year', String(options.defaultYear));
if (options.defaultMonth) params.set('month', String(options.defaultMonth));
const qs = params.toString();
const res = await fetch(`/api/import/spreadsheet/preview${qs ? `?${qs}` : ''}`, {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/octet-stream',
v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed - RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs, lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints - Import CSRF fix: added x-csrf-token header to importAdminBackup, previewSpreadsheetImport, previewUserDbImport raw fetch() calls - Removed AdminDashboard.jsx, replaced by RoadmapPage - Added @radix-ui/react-collapsible + collapsible shadcn component - Security audit by Private_Hudson: PASS (CSRF fix verified, admin endpoints gated, path traversal mitigated, XSS safe)
2026-05-11 21:42:36 -05:00
'x-csrf-token': getCsrfToken(),
initial commit
2026-05-03 19:51:57 -05:00
...(file.name ? { 'X-Filename': file.name } : {}),
},
body: file,
});
const data = await res.json();
if (!res.ok) {
const err = new Error(data.message || data.error || `HTTP ${res.status}`);
err.status = res.status;
err.data = data;
err.details = data.details || [];
err.code = data.code;
throw err;
}
return data;
},
applySpreadsheetImport: (data) => post('/import/spreadsheet/apply', data),
importHistory: () => get('/import/history'),
// User SQLite import
previewUserDbImport: async (file) => {
const res = await fetch('/api/import/user-db/preview', {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/octet-stream',
v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed - RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs, lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints - Import CSRF fix: added x-csrf-token header to importAdminBackup, previewSpreadsheetImport, previewUserDbImport raw fetch() calls - Removed AdminDashboard.jsx, replaced by RoadmapPage - Added @radix-ui/react-collapsible + collapsible shadcn component - Security audit by Private_Hudson: PASS (CSRF fix verified, admin endpoints gated, path traversal mitigated, XSS safe)
2026-05-11 21:42:36 -05:00
'x-csrf-token': getCsrfToken(),
initial commit
2026-05-03 19:51:57 -05:00
...(file.name ? { 'X-Filename': file.name } : {}),
},
body: file,
});
const data = await res.json();
if (!res.ok) {
const err = new Error(data.message || data.error || `HTTP ${res.status}`);
err.status = res.status;
err.data = data;
err.details = data.details || [];
err.code = data.code;
throw err;
}
return data;
},
applyUserDbImport: (data) => post('/import/user-db/apply', data),
};