refactor, security updates, cv extraction upgrades

job-tracker-ui/src/api.ts

@@ -1,6 +1,5 @@
 import axios from "axios";
-import { getAuthToken } from "./auth";
-import { clearAuthToken } from "./auth";
+import { clearAuthClientState, getCsrfToken } from "./auth";
 
 export function getApiErrorMessage(error: any, fallback = "Request failed.") {
   const data = error?.response?.data;
@@ -33,13 +32,19 @@ const defaultBaseUrl =
 
 export const api = axios.create({
   baseURL: envBaseUrl && envBaseUrl.trim().length > 0 ? envBaseUrl : defaultBaseUrl,
+  withCredentials: true,
+  xsrfCookieName: "XSRF-TOKEN",
+  xsrfHeaderName: "X-CSRF-TOKEN",
 });
 
 api.interceptors.request.use((config) => {
-  const token = getAuthToken();
-  if (token) {
-    config.headers = config.headers ?? {};
-    config.headers.Authorization = `Bearer ${token}`;
+  const method = (config.method ?? "get").toUpperCase();
+  if (["POST", "PUT", "PATCH", "DELETE"].includes(method)) {
+    const csrfToken = getCsrfToken();
+    if (csrfToken) {
+      config.headers = config.headers ?? {};
+      config.headers["X-CSRF-TOKEN"] = csrfToken;
+    }
   }
   return config;
 });
@@ -47,12 +52,9 @@ api.interceptors.request.use((config) => {
 api.interceptors.response.use(
   (r) => r,
   (err) => {
-    // If tokens expire (Google ID tokens are short-lived), clear and let the UI prompt the user.
     const status = err?.response?.status;
     if (status === 401) {
-      clearAuthToken();
-      // Avoid hard navigation loops; let views handle the missing token state.
-      // We still reject so callers can show a toast if they want.
+      clearAuthClientState();
     }
     return Promise.reject(err);
   },