PD-0000 - Add XSRF header fallback for prod code

src/app/core/xsrf/xsrf-fallback.interceptor.spec.ts

@@ -45,18 +45,6 @@ describe('XsrfFallbackInterceptor', () => {
     httpMock.verify()
   })
 
-  it('passes through without adding header when production is true', () => {
-    const env = (window as any).runtimeEnvironment
-    env.production = true
-    cookieGetSpy.and.returnValue('xsrf-token-123')
-
-    http.post(apiBase + 'works/work.json', {}).subscribe()
-
-    const req = httpMock.expectOne(apiBase + 'works/work.json')
-    expect(req.request.headers.has('x-xsrf-token')).toBe(false)
-    req.flush({})
-    env.production = false
-  })
 
   it('passes through GET requests without adding header', () => {
     http.get(apiBase + 'works/works.json').subscribe()

src/app/core/xsrf/xsrf-fallback.interceptor.ts

@@ -17,8 +17,6 @@ declare const runtimeEnvironment: any
  * support (configured via withXsrfConfiguration) does not attach the header,
  * especially when using the local proxy setup.
  *
- * Only active when not in production (local development runs).
- *
  * Behaviour:
  * - For mutating backend calls (POST/PUT/PATCH/DELETE) to ORCID web APIs:
  *   - If an XSRF header is already present, do nothing.
@@ -34,11 +32,6 @@ export class XsrfFallbackInterceptor implements HttpInterceptor {
     req: HttpRequest<any>,
     next: HttpHandler
   ): Observable<HttpEvent<any>> {
-    // Only apply fallback in local development (e.g. proxy / same-origin dev)
-    if (runtimeEnvironment.production) {
-      return next.handle(req)
-    }
-
     const method = (req.method ?? '').toUpperCase()
 
     // Only care about mutating requests