csrf implemented

assets/views/admin/base.html

@@ -43,6 +43,36 @@
     {% block head %}{% endblock head %}
     <script src="/static/vendor/htmx/htmx-1.9.12.min.js"></script>
     <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
+    <!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
+         htmx requests get it as an X-CSRF-Token header; native <form> submits
+         can't set a header, so a hidden _csrf field is injected instead.
+         Server side: shared::csrf::protect. -->
+    <script>
+      (function () {
+        function csrfToken() {
+          var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
+          return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
+        }
+        document.addEventListener('htmx:configRequest', function (e) {
+          var t = csrfToken();
+          if (t) e.detail.headers['X-CSRF-Token'] = t;
+        });
+        document.addEventListener('submit', function (e) {
+          var form = e.target;
+          if (!form || (form.method || '').toLowerCase() !== 'post') return;
+          var t = csrfToken();
+          if (!t) return;
+          var input = form.querySelector('input[name="_csrf"]');
+          if (!input) {
+            input = document.createElement('input');
+            input.type = 'hidden';
+            input.name = '_csrf';
+            form.appendChild(input);
+          }
+          input.value = t;
+        }, true);
+      })();
+    </script>
   </head>
   <body
     x-data="{ showSidebar: false }"