Add CSRF checks to likes.

2026-03-06 14:53:23 -03:00 · 2026-03-06 14:53:23 -03:00 · f3749b3812
parent ca5ad07f26
commit f3749b3812
3 changed files with 10 additions and 2 deletions
--- a/handlers/like.go
+++ b/handlers/like.go
@ -23,6 +23,10 @@ func LikeHandler(app *App) http.HandlerFunc {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
+		if !app.validateCSRFToken(r, session) {
+			http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+			return
+		}

 		postIDStr := r.FormValue("post_id")
 		postID, err := strconv.Atoi(postIDStr)
--- a/static/likes.js
+++ b/static/likes.js
@ -5,6 +5,7 @@ function initLikeButtons() {
            var postId = btn.getAttribute('data-post-id');
            var type = btn.getAttribute('data-type');
            var basePath = btn.getAttribute('data-base-path');
+            var csrfToken = document.body ? document.body.getAttribute('data-csrf-token') : '';

            btn.disabled = true;

@ -14,7 +15,10 @@ function initLikeButtons() {

            fetch(basePath + '/like/', {
                method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'X-CSRF-Token': csrfToken
+                },
                body: body.toString()
            })
            .then(function(res) { return res.json(); })
--- a/templates/pages/thread.html
+++ b/templates/pages/thread.html
@ -7,7 +7,7 @@
    <script src="{{.StaticPath}}/likes.js" defer></script>
    <script src="{{.StaticPath}}/app.js" defer></script>
 </head>
-<body>
+<body data-csrf-token="{{.CSRFToken}}">
    {{template "navbar" .}}
    <main>
        <div class="breadcrumb">