From f3749b38121a93e7e8695afdf44f0ddc24b47a8b Mon Sep 17 00:00:00 2001 From: Jocadbz Date: Fri, 6 Mar 2026 14:53:23 -0300 Subject: [PATCH] Add CSRF checks to likes. --- handlers/like.go | 4 ++++ static/likes.js | 6 +++++- templates/pages/thread.html | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/handlers/like.go b/handlers/like.go index 728fed8..a561292 100644 --- a/handlers/like.go +++ b/handlers/like.go @@ -23,6 +23,10 @@ func LikeHandler(app *App) http.HandlerFunc { http.Error(w, "Unauthorized", http.StatusUnauthorized) return } + if !app.validateCSRFToken(r, session) { + http.Error(w, "Invalid CSRF token", http.StatusForbidden) + return + } postIDStr := r.FormValue("post_id") postID, err := strconv.Atoi(postIDStr) diff --git a/static/likes.js b/static/likes.js index 9331c2c..3430aa3 100644 --- a/static/likes.js +++ b/static/likes.js @@ -5,6 +5,7 @@ function initLikeButtons() { var postId = btn.getAttribute('data-post-id'); var type = btn.getAttribute('data-type'); var basePath = btn.getAttribute('data-base-path'); + var csrfToken = document.body ? document.body.getAttribute('data-csrf-token') : ''; btn.disabled = true; @@ -14,7 +15,10 @@ function initLikeButtons() { fetch(basePath + '/like/', { method: 'POST', - headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, + headers: { + 'Content-Type': 'application/x-www-form-urlencoded', + 'X-CSRF-Token': csrfToken + }, body: body.toString() }) .then(function(res) { return res.json(); }) diff --git a/templates/pages/thread.html b/templates/pages/thread.html index 773149c..bf99658 100644 --- a/templates/pages/thread.html +++ b/templates/pages/thread.html @@ -7,7 +7,7 @@ - + {{template "navbar" .}}