Fix issues in new v2 API

server/mergin/app.py

@@ -252,7 +252,7 @@ def custom_protect():
     _get_csrf_token = csrf._get_csrf_token
 
     def get_csrf_token():
-        if request.path.startswith("/v1/"):
+        if request.path.startswith("/v1/") or request.path.startswith("/v2/"):
             for header_name in app.app.config["WTF_CSRF_HEADERS"]:
                 csrf_token = request.headers.get(header_name)
                 if csrf_token:

server/mergin/auth/controller.py

@@ -510,7 +510,9 @@ def create_user():
     username = request.json.get(
         "username", User.generate_username(request.json["email"])
     )
-    form = UserRegistrationForm()
+
+    # in public endpoint we want to disable form csrf - for browser clients endpoint is protected anyway
+    form = UserRegistrationForm(meta={"csrf": False})
     form.confirm.data = form.password.data
     form.username.data = username
     if not form.validate():

server/mergin/sync/public_api_v2.yaml

@@ -136,10 +136,10 @@ paths:
             schema:
               type: object
               required:
-                - username
+                - user
                 - role
               properties:
-                username:
+                user:
                   type: string
                   example: john.doe
                   description: username or email

server/mergin/sync/public_api_v2_controller.py

@@ -93,7 +93,7 @@ def get_project_collaborators(id):
 def add_project_collaborator(id):
     """Add project collaborator"""
     project = require_project_by_uuid(id, ProjectPermissions.Update)
-    user = User.get_by_login(request.json["username"])
+    user = User.get_by_login(request.json["user"])
     if not user:
         abort(404)
 

server/mergin/tests/test_public_api_v2.py

@@ -90,7 +90,7 @@ def test_project_members(client):
     assert response.status_code == 404
 
     # add direct access
-    response = client.post(url, json={"role": role, "username": user.email})
+    response = client.post(url, json={"role": role, "user": user.email})
     assert response.status_code == 201
     assert response.json["id"] == user.id
     assert response.json["project_role"] == role

web-app/packages/lib/src/modules/project/store.ts

@@ -811,7 +811,7 @@ export const useProjectStore = defineStore('projectModule', {
         if (!payload.access.project_role) {
           await ProjectApi.addProjectCollaborator(payload.projectId, {
             ...payload.data,
-            username: payload.access.username
+            user: payload.access.username
           })
         } else {
           await ProjectApi.updateProjectCollaborator(
@@ -844,7 +844,7 @@ export const useProjectStore = defineStore('projectModule', {
         if (!payload.collaborator.project_role) {
           await ProjectApi.addProjectCollaborator(payload.projectId, {
             ...payload.data,
-            username: payload.collaborator.username
+            user: payload.collaborator.username
           })
         } else {
           await ProjectApi.updateProjectCollaborator(

web-app/packages/lib/src/modules/project/types.ts

@@ -295,7 +295,7 @@ export type EnhancedProjectDetail = ProjectDetail & {
 
 export interface AddProjectCollaboratorPayload {
   role: ProjectRoleName
-  username: string
+  user: string
 }
 
 export interface UpdateProjectCollaboratorPayload {