From c649dbbcc233852c970b13637cda57d67a6542b9 Mon Sep 17 00:00:00 2001
From: Yisroel Baum <yisroel.d.baum@gmail.com>
Date: Fri, 24 Apr 2026 13:30:54 +0300
Subject: [PATCH] include credentials on fetch calls

---
 public/js/home.js  | 4 +++-
 public/js/text.js  | 6 ++++--
 public/js/texts.js | 5 ++++-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/public/js/home.js b/public/js/home.js
index c943cd4..e7abc7c 100644
--- a/public/js/home.js
+++ b/public/js/home.js
@@ -3,7 +3,9 @@ document.addEventListener('DOMContentLoaded', () => {
     const createPlanModal = document.getElementById('create-plan-modal');
 
     async function loadTexts() {
-        const response = await fetch('/api/texts');
+        const response = await fetch('/api/texts', {
+            credentials: 'same-origin',
+        });
         const texts = await response.json();
         textsList.innerHTML = texts
             .map(text =>
diff --git a/public/js/text.js b/public/js/text.js
index 0388bf6..59fc4ee 100644
--- a/public/js/text.js
+++ b/public/js/text.js
@@ -1,7 +1,7 @@
 document.addEventListener('DOMContentLoaded', () => {
     const textId = window.location.pathname.split('/').pop();
 
-    fetch('/api/texts/' + textId)
+    fetch('/api/texts/' + textId, { credentials: 'same-origin' })
         .then(res => res.json())
         .then(text => {
             const h1 = document.createElement('h1');
@@ -13,7 +13,7 @@ document.addEventListener('DOMContentLoaded', () => {
 });
 
 function fetchAndRenderNodes(textId) {
-    return fetch('/api/nodes/' + textId)
+    return fetch('/api/nodes/' + textId, { credentials: 'same-origin' })
         .then(res => res.json())
         .then(nodes => {
             const existing = document.querySelector('#text-detail > ul');
@@ -113,6 +113,7 @@ function toggleAddForm(li, parentNodeId, textId) {
         fetch('/api/nodes', {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
+            credentials: 'same-origin',
             body: JSON.stringify({ textId: parseInt(textId), title, parentNodeId }),
         })
             .then(res => {
@@ -157,6 +158,7 @@ function toggleBulkAddForm(li, parentNodeId, textId) {
         fetch('/api/nodes/bulk', {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
+            credentials: 'same-origin',
             body: JSON.stringify({ textId: parseInt(textId), parentNodeId, titlePrefix, count }),
         })
             .then(res => {
diff --git a/public/js/texts.js b/public/js/texts.js
index 1937749..029196d 100644
--- a/public/js/texts.js
+++ b/public/js/texts.js
@@ -3,7 +3,9 @@ document.addEventListener('DOMContentLoaded', () => {
     const form = document.getElementById('texts-form');
 
     async function loadTexts() {
-        const res = await fetch('/api/texts');
+        const res = await fetch('/api/texts', {
+            credentials: 'same-origin',
+        });
         const texts = await res.json();
         textsList.innerHTML = texts.map(text =>
             '<li><a href=/admin/texts/'
@@ -18,6 +20,7 @@ document.addEventListener('DOMContentLoaded', () => {
         const formData = new FormData(form);
         const res = await fetch('/api/texts', {
             method: 'POST',
+            credentials: 'same-origin',
             body: formData,
         });
         if (res.ok) {