csrf implemented

assets/views/base.html

@@ -67,6 +67,36 @@
          required by the Penguin UI keyboard-accessible dropdowns. -->
     <script defer src="/static/vendor/alpine/alpine-focus-3.14.9.min.js"></script>
     <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
+    <!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
+         htmx requests get it as an X-CSRF-Token header; native <form> submits
+         (hx-boost="false") can't set a header, so a hidden _csrf field is
+         injected instead. Server side: shared::csrf::protect. -->
+    <script>
+      (function () {
+        function csrfToken() {
+          var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
+          return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
+        }
+        document.addEventListener('htmx:configRequest', function (e) {
+          var t = csrfToken();
+          if (t) e.detail.headers['X-CSRF-Token'] = t;
+        });
+        document.addEventListener('submit', function (e) {
+          var form = e.target;
+          if (!form || (form.method || '').toLowerCase() !== 'post') return;
+          var t = csrfToken();
+          if (!t) return;
+          var input = form.querySelector('input[name="_csrf"]');
+          if (!input) {
+            input = document.createElement('input');
+            input.type = 'hidden';
+            input.name = '_csrf';
+            form.appendChild(input);
+          }
+          input.value = t;
+        }, true);
+      })();
+    </script>
   </head>
   <body hx-boost="true"
     x-data="{ cats: false, lg: window.matchMedia('(min-width: 1024px)').matches }"