From fb1161ee871aeac3e3c5fd151b56fa942aed823a Mon Sep 17 00:00:00 2001
From: Jeffrey Cruz <jeffrey.cruz@me.com>
Date: Fri, 3 Apr 2026 19:12:08 -0400
Subject: [PATCH] fix: add credentials to saveApiKeys and revealApiKey for CSRF
 protection

These API calls were not sending the session cookie, causing the
Flask CSRF protection to reject the requests with 403 'CSRF token
missing or invalid'. Adding credentials: 'same-origin' ensures
the browser includes the session cookie with the request.
---
 plugins/_model_config/webui/api-keys-mixin.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/plugins/_model_config/webui/api-keys-mixin.js b/plugins/_model_config/webui/api-keys-mixin.js
index 6db3c3b7f3..f0aa7561a8 100644
--- a/plugins/_model_config/webui/api-keys-mixin.js
+++ b/plugins/_model_config/webui/api-keys-mixin.js
@@ -111,6 +111,7 @@ export const apiKeysMethods = {
     }
 
     const res = await fetchApi(`${API_BASE}/api_keys`, {
+      credentials: 'same-origin',
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ action: 'set', keys: normalized })
@@ -149,6 +150,7 @@ export const apiKeysMethods = {
 
   async revealApiKey(provider) {
     const res = await fetchApi(`${API_BASE}/api_keys`, {
+      credentials: 'same-origin',
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ action: 'reveal', provider })