add csrf_token to JavaScript actions

CHANGELOG.md

@@ -3,11 +3,13 @@
 ## 0.10.0
 + Codebase refactor (with breaking changes!)
 + Dropped support for Python<=3.9
++ Switched database to PostgreSQL
 + Move ALL config to .env (config.py is NO MORE supported)
 + Config SITE_NAME replaced with APP_NAME
 + Add CSRF token and flask_WTF
 + Schema changes: biography and website moved to `User`; `UserProfile` table deprecated (and useless fields removed)
 + Posts can now be permanently deleted
++ Miscellaneous style changes
 
 ## 0.9.0
 

src/coriplus/__init__.py

@@ -24,7 +24,7 @@ from flask_wtf import CSRFProtect
 import dotenv
 import logging
 
-__version__ = '0.10.0-dev47'
+__version__ = '0.10.0-dev50'
 
 # we want to support Python 3.10+ only.
 # Python 2 has too many caveats.

src/coriplus/ajax.py

@@ -5,8 +5,9 @@ Warning: this is not the public API.
 '''
 
 from flask import Blueprint, jsonify
+from flask_login import current_user
 from .models import User, Message, MessageUpvote
-from .utils import locations, get_current_user, is_username
+from .utils import locations, is_username
 import datetime
 
 bp = Blueprint('ajax', __name__, url_prefix='/ajax')
@@ -39,7 +40,7 @@ def location_search(name):
 
 @bp.route('/score/<int:id>/toggle', methods=['POST'])
 def score_toggle(id):
-    user = get_current_user()
+    user = current_user
     message = Message[id]
     upvoted_by_self = (MessageUpvote
             .select()

src/coriplus/static/lib.js

@@ -99,12 +99,20 @@ function showHideMessageOptions(id){
   }
 }
 
+function getCsrfToken () {
+  var csrf_token = document.querySelector('meta[name="csrf_token"]');
+  return csrf_token?.getAttribute('content');
+}
+
 function toggleUpvote(id){
   var msgElem = document.getElementById(id);
-  var upvoteLink = msgElem.getElementsByClassName('message-upvote')[0];
+  //var upvoteLink = msgElem.getElementsByClassName('message-upvote')[0];
   var scoreCounter = msgElem.getElementsByClassName('message-score')[0];
+  var body = "csrf_token=" + getCsrfToken();
   var xhr = new XMLHttpRequest();
   xhr.open("POST", "/ajax/score/" + id + "/toggle", true);
+  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+  // TODO add csrf token somewhere
   xhr.onreadystatechange = function(){
     if(xhr.readyState == XMLHttpRequest.DONE){
       if(xhr.status == 200){
@@ -114,5 +122,5 @@ function toggleUpvote(id){
       }
     }
   };
-  xhr.send();
+  xhr.send(body);
 }

src/coriplus/templates/base.html

@@ -6,6 +6,7 @@
     <link rel="stylesheet" type="text/css" href="/static/style.css">
     <meta name="og:title" content="Cori+">
     <meta name="og:description" content="A simple social network. Post text statuses, optionally with image.">
+    <meta name="csrf_token" content="{{ csrf_token() }}">
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Funnel+Sans:ital,wght@0,300..800;1,300..800&family=Inter:ital,opsz,wght@0,14..32,100..900;1,14..32,100..900&display=swap" rel="stylesheet">