From 09cc2ba8ffaaa8da2b376efd3f5817ac19564031 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 18 Jan 2026 22:24:17 +0100
Subject: [PATCH] Use requestSubmit() in form cleanup controller to avoid CSFR
 issues

See #1191
---
 assets/controllers/helpers/form_cleanup_controller.js | 4 ++--
 assets/js/webauthn_tfa.js                             | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/assets/controllers/helpers/form_cleanup_controller.js b/assets/controllers/helpers/form_cleanup_controller.js
index 23dac950..d554371d 100644
--- a/assets/controllers/helpers/form_cleanup_controller.js
+++ b/assets/controllers/helpers/form_cleanup_controller.js
@@ -62,6 +62,6 @@ export default class extends Controller {
             element.disabled = true;
         }
 
-        form.submit();
+        form.requestSubmit();
     }
-}
\ No newline at end of file
+}
diff --git a/assets/js/webauthn_tfa.js b/assets/js/webauthn_tfa.js
index 4d54efc0..440cb006 100644
--- a/assets/js/webauthn_tfa.js
+++ b/assets/js/webauthn_tfa.js
@@ -198,6 +198,7 @@ class WebauthnTFA {
     {
         const resultField = document.getElementById('_auth_code');
         resultField.value = JSON.stringify(data)
+        //requestSubmit() do not work here, probably because the submit is considered invalid. But as we do not use CSFR tokens, it should be fine.
         form.submit();
     }
 
@@ -232,4 +233,4 @@ class WebauthnTFA {
     }
 }
 
-window.webauthnTFA = new WebauthnTFA();
\ No newline at end of file
+window.webauthnTFA = new WebauthnTFA();