Add CSRF checks to profile editing.

2026-03-06 14:53:17 -03:00 · 2026-03-06 14:53:17 -03:00 · 47ebf77f24
parent 730b05dd58
commit 47ebf77f24
2 changed files with 7 additions and 0 deletions
--- a/handlers/profile_edit.go
+++ b/handlers/profile_edit.go
@ -23,6 +23,11 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
 		}

 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			// Handle file upload
 			file, handler, err := r.FormFile("pfp")
 			if err == nil {
@ -118,6 +123,7 @@ func ProfileEditHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			User: *user,
 		}
--- a/templates/pages/profile_edit.html
+++ b/templates/pages/profile_edit.html
@ -14,6 +14,7 @@
        </header>
        <section>
            <form method="post" action="{{.BasePath}}/profile/edit/" enctype="multipart/form-data">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                <label for="display_name">Display Name:</label>
                <input type="text" id="display_name" name="display_name" value="{{.User.DisplayName}}" maxlength="255"><br>
                <label for="pfp">Profile Picture:</label>