From 48363ccef98e735a7a28a094d6e5dd7f5afbb76f Mon Sep 17 00:00:00 2001
From: Jocadbz <joaquimmadureira@protonmail.com>
Date: Fri, 6 Mar 2026 14:51:14 -0300
Subject: [PATCH] Add CSRF checks to signup.

---
 handlers/signup.go          | 8 ++++++++
 templates/pages/signup.html | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/handlers/signup.go b/handlers/signup.go
index 0404679..1652840 100644
--- a/handlers/signup.go
+++ b/handlers/signup.go
@@ -12,6 +12,11 @@ func SignupHandler(app *App) http.HandlerFunc {
 		session := r.Context().Value("session").(*sessions.Session)
 		cookie, _ := r.Cookie("threadr_cookie_banner")
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			username := r.FormValue("username")
 			password := r.FormValue("password")
 			passwordConfirm := r.FormValue("password_confirm")
@@ -31,6 +36,7 @@ func SignupHandler(app *App) http.HandlerFunc {
 						BasePath:         app.Config.ThreadrDir,
 						StaticPath:       app.Config.ThreadrDir + "/static",
 						CurrentURL:       r.URL.RequestURI(),
+						CSRFToken:        app.csrfToken(session),
 					},
 					Error: "Passwords do not match. Please try again.",
 				}
@@ -57,6 +63,7 @@ func SignupHandler(app *App) http.HandlerFunc {
 						BasePath:         app.Config.ThreadrDir,
 						StaticPath:       app.Config.ThreadrDir + "/static",
 						CurrentURL:       r.URL.RequestURI(),
+						CSRFToken:        app.csrfToken(session),
 					},
 					Error: "An error occurred during sign up. Please try again.",
 				}
@@ -82,6 +89,7 @@ func SignupHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			Error: "",
 		}
diff --git a/templates/pages/signup.html b/templates/pages/signup.html
index 0df10dc..7e7a250 100644
--- a/templates/pages/signup.html
+++ b/templates/pages/signup.html
@@ -17,6 +17,7 @@
             <p class="field-error" style="text-align: center; font-size: 1em;">{{.Error}}</p>
             {{end}}
             <form method="post" action="{{.BasePath}}/signup/">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                 <label for="username">Username:</label>
                 <input type="text" id="username" name="username" required autocomplete="username" minlength="3" maxlength="30"><br>
                 <label for="password">Password:</label>
@@ -30,4 +31,4 @@
     {{template "cookie_banner" .}}
 </body>
 </html>
-{{end}}
\ No newline at end of file
+{{end}}