A bugfix release resolving #42 ("Buttons not working") and two further bugs uncovered while verifying the fix. No new features; no API or configuration changes.
Fixed
- "Install CA in System" always failed with "Invalid CSRF token" (#42). The frontend
apiRequesthelper spread the caller's options after the constructed headers object in both of itsfetchcalls, so the one caller that passed a customheadersoption (the Install CA handler) silently discarded theX-CSRF-Tokenheader — on the first attempt and on the automatic retry. Options are now spread before the merged headers so the token always survives. - Every button wired with an inline
onclick="…"attribute was dead (#42): Download Root CA, all certificate-card actions (download cert/key/bundle, generate PFX, archive, restore, delete), alert close buttons, and all five SCEP-page buttons. helmet 8's default CSP directivescript-src-attr 'none'blocks inline handler attributes even thoughscript-srcallows'unsafe-inline'. All 14 inline handlers are migrated toaddEventListener— certificate cards through a single delegated listener withdata-actionattributes — and the strict CSP is kept. - "Delete Forever" on an archived certificate always returned 404. The archive endpoint moves files into the folder's
archive/subdirectory, but the DELETE route only looked in the folder itself. Latent until now because the button was unclickable under the CSP bug above. The route now checks both locations. - Settings-page alert close buttons broke when two alerts appeared in the same millisecond (they share a
Date.now()-based element id). Close buttons are now wired to the alert element itself instead of an id lookup.
Added
- Regression tests: the served CSP must keep
script-src-attr 'none'plus the app's directives, and no frontend source may contain an inline event-handler attribute. The helmet options moved tosrc/config/securityHeaders.jsso tests can mount them without booting the server. - Tests for deleting archived and active certificates.
Full Changelog: v4.2.0...v4.2.1