fix(settings): send JSON Content-Type on configuration PUTsHEADmain

fetch() defaults a string body to text/plain, which SvelteKit's
csrf_check_origin treats as a form submission. Behind portless's
HTTPS-to-HTTP dev proxy the Origin scheme mismatches url.origin
and the requests 403'd. Declaring application/json is correct for
the body and bypasses the form-content-type check.

2 files changed, 3 insertions, 0 deletions

diff --git a/src/lib/CommandPalette/syncActions.ts b/src/lib/CommandPalette/syncActions.ts
index 49859221..90c6a931 100644
--- a/src/lib/CommandPalette/syncActions.ts
+++ b/src/lib/CommandPalette/syncActions.ts
@@ -24,6 +24,7 @@ export const syncActions = (
 
 				fetch(root(`/api/configuration`), {
 					method: "PUT",
+					headers: { "Content-Type": "application/json" },
 					body: JSON.stringify(get(settings)),
 				})
 					.then((response) => {
diff --git a/src/lib/Settings/Categories/SettingSync.svelte b/src/lib/Settings/Categories/SettingSync.svelte
index 0cfe9261..867b2b47 100644
--- a/src/lib/Settings/Categories/SettingSync.svelte
+++ b/src/lib/Settings/Categories/SettingSync.svelte
@@ -29,6 +29,7 @@ import settingsSyncTimes from "$stores/settingsSyncTimes";
             } else {
               fetch(root(`/api/configuration`), {
                 method: 'PUT',
+                headers: { 'Content-Type': 'application/json' },
                 body: JSON.stringify($settings)
               }).then((response) => {
                 if (response.ok)
@@ -56,6 +57,7 @@ import settingsSyncTimes from "$stores/settingsSyncTimes";
 
       fetch(root(`/api/configuration`), {
         method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify($settings)
       }).then((response) => {
         if (response.ok)