From 730b05dd58549993a83cfce84ddec031bd8702aa Mon Sep 17 00:00:00 2001
From: Jocadbz <joaquimmadureira@protonmail.com>
Date: Fri, 6 Mar 2026 14:53:14 -0300
Subject: [PATCH] Add CSRF checks to preferences.

---
 handlers/preferences.go          | 6 ++++++
 templates/pages/preferences.html | 1 +
 2 files changed, 7 insertions(+)

diff --git a/handlers/preferences.go b/handlers/preferences.go
index 28b407a..2f17022 100644
--- a/handlers/preferences.go
+++ b/handlers/preferences.go
@@ -19,6 +19,11 @@ func PreferencesHandler(app *App) http.HandlerFunc {
 
 		// Handle POST request (saving preferences)
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			// Get form values
 			autoSaveDrafts := r.FormValue("auto_save_drafts") == "on"
 
@@ -70,6 +75,7 @@ func PreferencesHandler(app *App) http.HandlerFunc {
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
 				ContentTemplate:  "preferences-content",
+				CSRFToken:        app.csrfToken(session),
 			},
 			Preferences: prefs,
 			ShowSuccess: showSuccess,
diff --git a/templates/pages/preferences.html b/templates/pages/preferences.html
index 6047c61..f9d3045 100644
--- a/templates/pages/preferences.html
+++ b/templates/pages/preferences.html
@@ -11,6 +11,7 @@
 {{end}}
 <section>
     <form method="post" action="{{.BasePath}}/preferences/">
+        <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
         <h3>Draft Auto-Save</h3>
         <label for="auto_save_drafts" style="display: flex; align-items: center; gap: 0.5em; cursor: pointer;">
             <input type="checkbox" id="auto_save_drafts" name="auto_save_drafts" {{if .Preferences.AutoSaveDrafts}}checked{{end}}>