fix: add CSRF token to delete direct link request

The DELETE /api/direct-link/:id endpoint requires CSRF validation. Updated api_delete_direct_link to fetch CSRF token before sending the request, matching the pattern used by api_delete_share. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 00:44:05 +08:00
parent cf1935be1d
commit ceff377d90
1 changed files with 9 additions and 4 deletions
--- a/desktop-client/src-tauri/src/lib.rs
+++ b/desktop-client/src-tauri/src/lib.rs
@@ -1054,13 +1054,18 @@ async fn api_delete_direct_link(
    base_url: String,
    link_id: i64,
 ) -> Result<BridgeResponse, String> {
-    request_with_optional_csrf(
+    if link_id <= 0 {
+        return Err("无效的直链ID".to_string());
+    }
+
+    let csrf_token = fetch_csrf_token(&state.client, &base_url).await?;
+    let path = format!("/api/direct-link/{}", link_id);
+    request_json(
        &state.client,
        Method::DELETE,
-        &base_url,
-        &format!("/api/direct-link/{}", link_id),
+        join_api_url(&base_url, &path),
        None,
-        false,
+        csrf_token,
    )
    .await
 }