add csrf_token to JavaScript actions

2025-12-19 11:10:32 +01:00 · 2025-12-19 11:10:32 +01:00 · b29fa75226
commit b29fa75226
parent 8369035693
5 changed files with 17 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,11 +3,13 @@
 ## 0.10.0
 + Codebase refactor (with breaking changes!)
 + Dropped support for Python<=3.9
+ Switched database to PostgreSQL
 + Move ALL config to .env (config.py is NO MORE supported)
 + Config SITE_NAME replaced with APP_NAME
 + Add CSRF token and flask_WTF
 + Schema changes: biography and website moved to `User`; `UserProfile` table deprecated (and useless fields removed)
 + Posts can now be permanently deleted
+ Miscellaneous style changes

 ## 0.9.0

--- a/src/coriplus/init.py
+++ b/src/coriplus/init.py
@ -24,7 +24,7 @@ from flask_wtf import CSRFProtect
 import dotenv
 import logging

-__version__ = '0.10.0-dev47'
+__version__ = '0.10.0-dev50'

 # we want to support Python 3.10+ only.
 # Python 2 has too many caveats.
--- a/src/coriplus/ajax.py
+++ b/src/coriplus/ajax.py
@ -5,8 +5,9 @@ Warning: this is not the public API.
 '''

 from flask import Blueprint, jsonify
+from flask_login import current_user
 from .models import User, Message, MessageUpvote
-from .utils import locations, get_current_user, is_username
+from .utils import locations, is_username
 import datetime

 bp = Blueprint('ajax', __name__, url_prefix='/ajax')
@ -39,7 +40,7 @@ def location_search(name):

@bp.route('/score/<int:id>/toggle', methods=['POST'])
 def score_toggle(id):
-    user = get_current_user()
+    user = current_user
    message = Message[id]
    upvoted_by_self = (MessageUpvote
            .select()
--- a/src/coriplus/static/lib.js
+++ b/src/coriplus/static/lib.js
@ -99,12 +99,20 @@ function showHideMessageOptions(id){
  }
 }

+function getCsrfToken () {
+  var csrf_token = document.querySelector('meta[name="csrf_token"]');
+  return csrf_token?.getAttribute('content');
+}
+
 function toggleUpvote(id){
  var msgElem = document.getElementById(id);
-  var upvoteLink = msgElem.getElementsByClassName('message-upvote')[0];
+  //var upvoteLink = msgElem.getElementsByClassName('message-upvote')[0];
  var scoreCounter = msgElem.getElementsByClassName('message-score')[0];
+  var body = "csrf_token=" + getCsrfToken();
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "/ajax/score/" + id + "/toggle", true);
+  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+  // TODO add csrf token somewhere
  xhr.onreadystatechange = function(){
    if(xhr.readyState == XMLHttpRequest.DONE){
      if(xhr.status == 200){
@ -114,5 +122,5 @@ function toggleUpvote(id){
      }
    }
  };
-  xhr.send();
+  xhr.send(body);
 }
--- a/src/coriplus/templates/base.html
+++ b/src/coriplus/templates/base.html
@ -6,6 +6,7 @@
    <link rel="stylesheet" type="text/css" href="/static/style.css">
    <meta name="og:title" content="Cori+">
    <meta name="og:description" content="A simple social network. Post text statuses, optionally with image.">
+    <meta name="csrf_token" content="{{ csrf_token() }}">
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Funnel+Sans:ital,wght@0,300..800;1,300..800&family=Inter:ital,opsz,wght@0,14..32,100..900;1,14..32,100..900&display=swap" rel="stylesheet">