Add CSRF checks to likes.

handlers/like.go

@@ -23,6 +23,10 @@ func LikeHandler(app *App) http.HandlerFunc {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
+		if !app.validateCSRFToken(r, session) {
+			http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+			return
+		}
 
 		postIDStr := r.FormValue("post_id")
 		postID, err := strconv.Atoi(postIDStr)

static/likes.js

@@ -5,6 +5,7 @@ function initLikeButtons() {
             var postId = btn.getAttribute('data-post-id');
             var type = btn.getAttribute('data-type');
             var basePath = btn.getAttribute('data-base-path');
+            var csrfToken = document.body ? document.body.getAttribute('data-csrf-token') : '';
 
             btn.disabled = true;
 
@@ -14,7 +15,10 @@ function initLikeButtons() {
 
             fetch(basePath + '/like/', {
                 method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'X-CSRF-Token': csrfToken
+                },
                 body: body.toString()
             })
             .then(function(res) { return res.json(); })

templates/pages/thread.html

@@ -7,7 +7,7 @@
     <script src="{{.StaticPath}}/likes.js" defer></script>
     <script src="{{.StaticPath}}/app.js" defer></script>
 </head>
-<body>
+<body data-csrf-token="{{.CSRFToken}}">
     {{template "navbar" .}}
     <main>
         <div class="breadcrumb">