From 536b5909c8b6eb53df9c3f5d25c45dc921485317 Mon Sep 17 00:00:00 2001
From: surtur <wanderer@dotya.ml>
Date: Sat, 5 Aug 2023 21:43:45 +0200
Subject: [PATCH] go,tmpl: use CSRF token in relevant places

---
 handlers/home.go      | 3 +++
 handlers/logout.go    | 3 +++
 handlers/signin.go    | 5 +++++
 templates/signin.tmpl | 1 +
 templates/signup.tmpl | 2 +-
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/handlers/home.go b/handlers/home.go
index cee6925..a43d434 100644
--- a/handlers/home.go
+++ b/handlers/home.go
@@ -67,6 +67,8 @@ func Home(client *ent.Client) echo.HandlerFunc {
 			)
 		}
 
+		csrf := c.Get("csrf").(string)
+
 		err := c.Render(http.StatusOK, "home.tmpl",
 			page{
 				AppName:   setting.AppName(),
@@ -74,6 +76,7 @@ func Home(client *ent.Client) echo.HandlerFunc {
 				Title:     "Home",
 				Name:      username,
 				DevelMode: setting.IsDevel(),
+				CSRF:      csrf,
 				Current:   "home",
 				User:      u,
 			},
diff --git a/handlers/logout.go b/handlers/logout.go
index fa3acee..e6e2339 100644
--- a/handlers/logout.go
+++ b/handlers/logout.go
@@ -14,6 +14,8 @@ func Logout() echo.HandlerFunc {
 	return func(c echo.Context) error {
 		addHeaders(c)
 
+		csrf := c.Get("csrf").(string)
+
 		switch {
 		case c.Request().Method == "POST":
 			sess, _ := session.Get(setting.SessionCookieName(), c)
@@ -41,6 +43,7 @@ func Logout() echo.HandlerFunc {
 					AppName:   setting.AppName(),
 					AppVer:    appver,
 					Title:     "Logout",
+					CSRF:      csrf,
 					DevelMode: setting.IsDevel(),
 					Current:   "logout",
 				},
diff --git a/handlers/signin.go b/handlers/signin.go
index 0771e89..dc60c2f 100644
--- a/handlers/signin.go
+++ b/handlers/signin.go
@@ -27,6 +27,8 @@ func Signin() echo.HandlerFunc {
 			}
 		}
 
+		csrf := c.Get("csrf").(string)
+
 		return c.Render(
 			http.StatusOK,
 			"signin.tmpl",
@@ -34,6 +36,7 @@ func Signin() echo.HandlerFunc {
 				AppName:   setting.AppName(),
 				AppVer:    appver,
 				Title:     "Sign in",
+				CSRF:      csrf,
 				DevelMode: setting.IsDevel(),
 				Current:   "signin",
 			},
@@ -55,12 +58,14 @@ func SigninPost(client *ent.Client) echo.HandlerFunc {
 			)
 		}
 
+		csrf := c.Get("csrf").(string)
 		username := cu.Username
 		password := cu.Password
 		p := page{
 			AppName:   setting.AppName(),
 			AppVer:    appver,
 			Title:     "Sign in",
+			CSRF:      csrf,
 			DevelMode: setting.IsDevel(),
 			Current:   "signin",
 		}
diff --git a/templates/signin.tmpl b/templates/signin.tmpl
index 817d613..424a6b8 100644
--- a/templates/signin.tmpl
+++ b/templates/signin.tmpl
@@ -14,6 +14,7 @@
 			</div>
 			<div class="mt-8 lg:w-1/2 lg:mt-0">
 				<form method="post" class="w-full lg:max-w-xl">
+					<input type="hidden" name="csrf" value="{{- .CSRF -}}">
 					{{ if and .Data .Data.flash }}
 					<div class="relative flex items-center mb-4">
 						<p class="mt-2 text-md text-rose-800 dark:text-rose-500"><span class="font-medium">Error:</span> {{.Data.flash}}</p>
diff --git a/templates/signup.tmpl b/templates/signup.tmpl
index ab97b51..7572cab 100644
--- a/templates/signup.tmpl
+++ b/templates/signup.tmpl
@@ -13,7 +13,7 @@
 			</div>
 			<div class="mt-8 lg:w-1/2 lg:mt-0">
 				<form method="post" class="w-full lg:max-w-xl">
-					<input type="hidden" name="_csrf" value="{{- .CSRF -}}">
+					<input type="hidden" name="csrf" value="{{- .CSRF -}}">
 					<div class="relative flex items-center">
 						<span class="absolute" role="img" aria-label="person outline icon for username">
 							{{ template "svg-user.tmpl" }}