feat: allow csrf passing through querystring

api/src/unraid-api/auth/casbin/casbin.service.ts

@@ -2,6 +2,8 @@ import { Injectable, InternalServerErrorException, Logger, OnModuleInit } from '
 
 import { Model as CasbinModel, Enforcer, newEnforcer, StringAdapter } from 'casbin';
 
+import { LOG_LEVEL } from '@app/environment';
+
 @Injectable()
 export class CasbinService {
     private readonly logger = new Logger(CasbinService.name);
@@ -18,7 +20,9 @@ export class CasbinService {
         const casbinPolicy = new StringAdapter(policy);
         try {
             const enforcer = await newEnforcer(casbinModel, casbinPolicy);
-            enforcer.enableLog(true);
+            if (LOG_LEVEL === 'TRACE') {
+                enforcer.enableLog(true);
+            }
 
             return enforcer;
         } catch (error: unknown) {

api/src/unraid-api/auth/cookie.strategy.ts

@@ -19,8 +19,9 @@ export class UserCookieStrategy extends PassportStrategy(Strategy, strategyName)
 
     public validate = async (req: CustomRequest): Promise<any> => {
         return (
-            this.authService.validateCsrfToken(req.headers['x-csrf-token']) &&
-            this.authService.validateCookiesCasbin(req.cookies)
+            this.authService.validateCsrfToken(
+                req.headers['x-csrf-token'] || (req.params as { csrf_token?: string })?.csrf_token
+            ) && this.authService.validateCookiesCasbin(req.cookies)
         );
     };
 }

web/components/DownloadApiLogs.ce.vue

@@ -6,7 +6,11 @@ import { useI18n } from 'vue-i18n';
 
 const { t } = useI18n();
 
-const downloadUrl = computed(() => new URL(`/graphql/api/logs`, WEBGUI_GRAPHQL));
+const downloadUrl = computed(() => {
+  const url = new URL(`/graphql/api/logs`, WEBGUI_GRAPHQL);
+  url.searchParams.append('csrf_token', globalThis.csrf_token);
+  return url;
+});
 </script>
 
 <template>