Add CSRF checks to preferences.

2026-03-06 14:53:14 -03:00 · 2026-03-06 14:53:14 -03:00 · 730b05dd58
parent 82a7e48827
commit 730b05dd58
2 changed files with 7 additions and 0 deletions
--- a/handlers/preferences.go
+++ b/handlers/preferences.go
@ -19,6 +19,11 @@ func PreferencesHandler(app *App) http.HandlerFunc {

 		// Handle POST request (saving preferences)
 		if r.Method == http.MethodPost {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			// Get form values
 			autoSaveDrafts := r.FormValue("auto_save_drafts") == "on"

@ -70,6 +75,7 @@ func PreferencesHandler(app *App) http.HandlerFunc {
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
 				ContentTemplate:  "preferences-content",
+				CSRFToken:        app.csrfToken(session),
 			},
 			Preferences: prefs,
 			ShowSuccess: showSuccess,
--- a/templates/pages/preferences.html
+++ b/templates/pages/preferences.html
@ -11,6 +11,7 @@
 {{end}}
 <section>
    <form method="post" action="{{.BasePath}}/preferences/">
+        <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
        <h3>Draft Auto-Save</h3>
        <label for="auto_save_drafts" style="display: flex; align-items: center; gap: 0.5em; cursor: pointer;">
            <input type="checkbox" id="auto_save_drafts" name="auto_save_drafts" {{if .Preferences.AutoSaveDrafts}}checked{{end}}>