diff --git a/handlers/signup.go b/handlers/signup.go
index 0404679..1652840 100644
--- a/handlers/signup.go
+++ b/handlers/signup.go
@@ -12,6 +12,11 @@ func SignupHandler(app *App) http.HandlerFunc {
session := r.Context().Value("session").(*sessions.Session)
cookie, _ := r.Cookie("threadr_cookie_banner")
if r.Method == http.MethodPost {
+ if !app.validateCSRFToken(r, session) {
+ http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+ return
+ }
+
username := r.FormValue("username")
password := r.FormValue("password")
passwordConfirm := r.FormValue("password_confirm")
@@ -31,6 +36,7 @@ func SignupHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(),
+ CSRFToken: app.csrfToken(session),
},
Error: "Passwords do not match. Please try again.",
}
@@ -57,6 +63,7 @@ func SignupHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(),
+ CSRFToken: app.csrfToken(session),
},
Error: "An error occurred during sign up. Please try again.",
}
@@ -82,6 +89,7 @@ func SignupHandler(app *App) http.HandlerFunc {
BasePath: app.Config.ThreadrDir,
StaticPath: app.Config.ThreadrDir + "/static",
CurrentURL: r.URL.RequestURI(),
+ CSRFToken: app.csrfToken(session),
},
Error: "",
}
diff --git a/templates/pages/signup.html b/templates/pages/signup.html
index 0df10dc..7e7a250 100644
--- a/templates/pages/signup.html
+++ b/templates/pages/signup.html
@@ -17,6 +17,7 @@
{{.Error}}
{{end}}