custom JS removed in favor of proper CSRF implementation

2026-06-21 18:22:21 +02:00
parent 86888b3877
commit db6b609937
25 changed files with 94 additions and 72 deletions
--- a/assets/views/account/password.html
+++ b/assets/views/account/password.html
@@ -22,6 +22,7 @@

  <form method="post" action="/account/password" hx-boost="false" class="mt-6 flex flex-col gap-4"
    x-data="{ password: '', confirm: '' }">
+  {{ ui::csrf_field() }}
    <div class="flex flex-col gap-1">
      <label for="current_password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
      {{ ui::input(name="current_password", id="current_password", type="password", required=true, autocomplete="current-password") }}
--- a/assets/views/account/profile.html
+++ b/assets/views/account/profile.html
@@ -82,6 +82,7 @@

  <!-- edit form -->
  <form x-show="editing" x-cloak method="post" action="/account/profile" hx-boost="false" class="mt-6 space-y-6">
+  {{ ui::csrf_field() }}
    <!-- account type is fixed at registration and shown read-only -->
    <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
--- a/assets/views/account/security.html
+++ b/assets/views/account/security.html
@@ -39,6 +39,7 @@
      <code class="mt-1 inline-block break-all font-mono text-sm text-on-surface-strong dark:text-on-surface-dark-strong">{{ secret }}</code>
    </div>
    <form method="post" action="/account/security/confirm" hx-boost="false" class="flex flex-col gap-3">
+  {{ ui::csrf_field() }}
      <label for="code" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-enter-code", lang=lang | default(value='sk')) }}</label>
      {{ ui::input(name="code", id="code", type="text", required=true, autocomplete="one-time-code", attrs='inputmode="numeric" pattern="[0-9]*" maxlength="6" autofocus') }}
      {{ ui::button(label=t(key="security-2fa-confirm", lang=lang | default(value='sk')), type="submit", extra="w-full") }}
@@ -53,6 +54,7 @@
  </div>

  <form method="post" action="/account/security/backup-codes" hx-boost="false" class="mt-6 flex flex-col gap-3 rounded-radius border border-outline bg-surface-alt p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
    <p class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-regenerate", lang=lang | default(value='sk')) }}</p>
    <label for="regen_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
    {{ ui::input(name="current_password", id="regen_pw", type="password", required=true, autocomplete="current-password") }}
@@ -60,6 +62,7 @@
  </form>

  <form method="post" action="/account/security/disable" hx-boost="false" class="mt-4 flex flex-col gap-3 rounded-radius border border-danger/40 bg-danger/5 p-5">
+  {{ ui::csrf_field() }}
    <p class="text-sm font-medium text-danger">{{ t(key="security-2fa-disable", lang=lang | default(value='sk')) }}</p>
    <p class="text-xs text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-disable-hint", lang=lang | default(value='sk')) }}</p>
    <label for="disable_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
@@ -70,6 +73,7 @@
  {% else %}
  {# --- Disabled: offer to enable --- #}
  <form method="post" action="/account/security/enable" hx-boost="false" class="mt-6">
+  {{ ui::csrf_field() }}
    <div class="flex items-center gap-2">
      {{ ui::badge(label=t(key="security-2fa-off", lang=lang | default(value='sk')), variant="neutral") }}
    </div>
--- a/assets/views/admin/base.html
+++ b/assets/views/admin/base.html
@@ -43,38 +43,9 @@
    {% block head %}{% endblock head %}
    <script src="/static/vendor/htmx/htmx-1.9.12.min.js"></script>
    <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
-    <!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
-         htmx requests get it as an X-CSRF-Token header; native <form> submits
-         can't set a header, so a hidden _csrf field is injected instead.
-         Server side: shared::csrf::protect. -->
-    <script>
-      (function () {
-        function csrfToken() {
-          var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
-          return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
-        }
-        document.addEventListener('htmx:configRequest', function (e) {
-          var t = csrfToken();
-          if (t) e.detail.headers['X-CSRF-Token'] = t;
-        });
-        document.addEventListener('submit', function (e) {
-          var form = e.target;
-          if (!form || (form.method || '').toLowerCase() !== 'post') return;
-          var t = csrfToken();
-          if (!t) return;
-          var input = form.querySelector('input[name="_csrf"]');
-          if (!input) {
-            input = document.createElement('input');
-            input.type = 'hidden';
-            input.name = '_csrf';
-            form.appendChild(input);
-          }
-          input.value = t;
-        }, true);
-      })();
-    </script>
  </head>
  <body
+    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
    x-data="{ showSidebar: false }"
    class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">

@@ -126,6 +97,7 @@
          {{ t(key="admin-exit", lang=lang | default(value='sk')) }}
        </a>
        <form method="post" action="/logout">
+          {{ ui::csrf_field() }}
          <button type="submit" class="flex w-full items-center gap-2 rounded-radius px-2 py-1.5 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-danger/5 focus:outline-hidden focus-visible:underline">
            {{ t(key="logout", lang=lang | default(value='sk')) }}
          </button>
--- a/assets/views/admin/catalog/categories.html
+++ b/assets/views/admin/catalog/categories.html
@@ -46,6 +46,7 @@
            {{ ui::button(variant="outline-secondary", label=t(key="edit", lang=lang | default(value='sk')), href="/admin/catalog/categories/" ~ row.category.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
            <form method="post" action="/admin/catalog/categories/{{ row.category.id }}/delete"
              onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
              {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
            </form>
          </div>
--- a/assets/views/admin/catalog/category_form.html
+++ b/assets/views/admin/catalog/category_form.html
@@ -15,6 +15,7 @@
 <form method="post" enctype="multipart/form-data"
  action="{% if category %}/admin/catalog/categories/{{ category.id }}{% else %}/admin/catalog/categories{% endif %}"
  class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}

  {% if category %}
    {% set v_name = category.name %}{% set v_slug = category.slug %}{% set v_pos = category.position %}{% set v_desc = category.description | default(value="") %}{% set v_pub = category.published %}
--- a/assets/views/admin/catalog/product_form.html
+++ b/assets/views/admin/catalog/product_form.html
@@ -15,6 +15,7 @@
 <form method="post" enctype="multipart/form-data"
  action="{% if product %}/admin/catalog/products/{{ product.id }}{% else %}/admin/catalog/products{% endif %}"
  class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}

  {% if product %}
    {% set v_name = product.name %}{% set v_price = product.price %}{% set v_currency = product.currency %}{% set v_stock = product.stock %}{% set v_sku = product.sku | default(value="") %}{% set v_slug = product.slug %}{% set v_desc = product.description | default(value="") %}{% set v_pub = product.published %}
--- a/assets/views/admin/catalog/products.html
+++ b/assets/views/admin/catalog/products.html
@@ -56,6 +56,7 @@
            {{ ui::button(variant="outline-secondary", label=t(key="view", lang=lang | default(value='sk')), href="/shop/" ~ product.slug, size="px-3 py-1.5 text-xs") }}
            <form method="post" action="/admin/catalog/products/{{ product.id }}/delete"
              onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
              {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
            </form>
          </div>
--- a/assets/views/admin/orders/show.html
+++ b/assets/views/admin/orders/show.html
@@ -110,6 +110,7 @@
      <p class="text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-send-hint", lang=lang | default(value='sk')) }}</p>
      <form method="post" action="/admin/orders/{{ order.id }}/ship"
        onsubmit="return confirm('{{ t(key="order-send-confirm", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
        {% set carrier_up = carrier | upper %}
        {% set ship_label = t(key="order-send-to-carrier", lang=lang | default(value='sk')) ~ " " ~ carrier_up %}
        {{ ui::button(label=ship_label, type="submit", extra="w-full") }}
@@ -118,6 +119,7 @@
    </div>

    <form method="post" action="/admin/orders/{{ order.id }}/status" class="space-y-3 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
      <label for="status" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="order-status", lang=lang | default(value='sk')) }}</label>
      <div class="relative">
        <select id="status" name="status"
--- a/assets/views/admin/shipping/index.html
+++ b/assets/views/admin/shipping/index.html
@@ -14,6 +14,7 @@
  {% for method in methods %}
  <form method="post" action="/admin/shipping/{{ method.id }}"
    class="flex flex-wrap items-end gap-4 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
    <div class="min-w-40">
      <p class="font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ method.name }}</p>
      <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ method.carrier | upper }}{% if method.requires_pickup_point %} · {{ t(key="checkout-pickup-point", lang=lang | default(value='sk')) }}{% endif %}</p>
--- a/assets/views/auth/login.html
+++ b/assets/views/auth/login.html
@@ -30,6 +30,7 @@
      {% endif %}

      <form method="post" action="/login" hx-boost="false" class="mt-4 flex flex-col gap-4">
+        {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1">
          <label for="email"
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
--- a/assets/views/auth/login_totp.html
+++ b/assets/views/auth/login_totp.html
@@ -28,6 +28,7 @@
      {% endif %}

      <form method="post" action="/login/totp" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1">
          <label for="code"
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
--- a/assets/views/auth/register.html
+++ b/assets/views/auth/register.html
@@ -32,6 +32,7 @@

      <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4"
        x-data="{ password: '', confirm: '' }">
+  {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1.5">
          <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</span>
          <div class="grid grid-cols-2 gap-2">
--- a/assets/views/auth/resend_verification.html
+++ b/assets/views/auth/resend_verification.html
@@ -24,6 +24,7 @@
      {% else %}
      <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="resend-verification-intro", lang=lang | default(value='sk')) }}</p>
      <form method="post" action="/resend-verification" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1">
          <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="login-email", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
--- a/assets/views/auth/set_password.html
+++ b/assets/views/auth/set_password.html
@@ -29,6 +29,7 @@
      {% endif %}

      <form method="post" action="/set-password" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
        <input type="hidden" name="token" value="{{ token }}">
        <div class="flex flex-col gap-1">
          <label for="password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-new", lang=lang | default(value='sk')) }}</label>
--- a/assets/views/base.html
+++ b/assets/views/base.html
@@ -67,38 +67,9 @@
         required by the Penguin UI keyboard-accessible dropdowns. -->
    <script defer src="/static/vendor/alpine/alpine-focus-3.14.9.min.js"></script>
    <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
-    <!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
-         htmx requests get it as an X-CSRF-Token header; native <form> submits
-         (hx-boost="false") can't set a header, so a hidden _csrf field is
-         injected instead. Server side: shared::csrf::protect. -->
-    <script>
-      (function () {
-        function csrfToken() {
-          var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
-          return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
-        }
-        document.addEventListener('htmx:configRequest', function (e) {
-          var t = csrfToken();
-          if (t) e.detail.headers['X-CSRF-Token'] = t;
-        });
-        document.addEventListener('submit', function (e) {
-          var form = e.target;
-          if (!form || (form.method || '').toLowerCase() !== 'post') return;
-          var t = csrfToken();
-          if (!t) return;
-          var input = form.querySelector('input[name="_csrf"]');
-          if (!input) {
-            input = document.createElement('input');
-            input.type = 'hidden';
-            input.name = '_csrf';
-            form.appendChild(input);
-          }
-          input.value = t;
-        }, true);
-      })();
-    </script>
  </head>
  <body hx-boost="true"
+    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
    x-data="{ cats: false, lg: window.matchMedia('(min-width: 1024px)').matches }"
    x-init="window.matchMedia('(min-width: 1024px)').addEventListener('change', e => lg = e.matches)"
    class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
@@ -121,6 +92,7 @@
          <li>{{ ui::nav_link(label=t(key="admin-title", lang=lang | default(value='sk')), href="/admin/dashboard", data_nav="/admin", variant="warning", attrs='hx-boost="false"') }}</li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
              <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
@@ -193,6 +165,7 @@
          <li><a href="/admin/dashboard" hx-boost="false" data-nav="/admin" class="block rounded-radius px-3 py-2 text-sm font-medium text-warning underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="admin-title", lang=lang | default(value='sk')) }}</a></li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
@@ -200,6 +173,7 @@
          <li><a href="/account/profile" data-nav="/account" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-profile", lang=lang | default(value='sk')) }}</a></li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
@@ -229,6 +203,7 @@
          <li><a href="/account/security" data-nav="/account/security" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="security-title", lang=lang | default(value='sk')) }}</a></li>
        </ul>
        <form method="post" action="/logout" hx-boost="false" class="mt-4 border-t border-outline pt-3 dark:border-outline-dark">
+  {{ ui::csrf_field() }}
          <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
        </form>
      </aside>
--- a/assets/views/macros/ui.html
+++ b/assets/views/macros/ui.html
@@ -29,6 +29,13 @@
       outline : outline-primary | outline-secondary | outline-alternate | outline-danger
       ghost   : ghost-primary | ghost-secondary | ghost-danger #}

+{# CSRF hidden field for native (non-htmx) <form method="post"> submits. htmx
+   requests instead inherit the X-CSRF-Token header from <body hx-headers>.
+   `csrf_token()` is a global Tera function bound per-request by shared::csrf. #}
+{% macro csrf_field() -%}
+<input type="hidden" name="_csrf" value="{{ csrf_token() }}">
+{%- endmacro %}
+
 {% macro button(label, variant="primary", type="button", href="", attrs="", extra="", icon="", size="px-4 py-2 text-sm") -%}
 {%- if variant == "secondary" -%}{% set cls = "border border-secondary bg-secondary text-on-secondary focus-visible:outline-secondary dark:border-secondary-dark dark:bg-secondary-dark dark:text-on-secondary-dark dark:focus-visible:outline-secondary-dark" -%}
 {%- elif variant == "danger" -%}{% set cls = "border border-danger bg-danger text-on-danger focus-visible:outline-danger dark:bg-danger dark:border-danger dark:text-on-danger dark:focus-visible:outline-danger" -%}
--- a/assets/views/partials/profile_menu.html
+++ b/assets/views/partials/profile_menu.html
@@ -68,7 +68,8 @@
    </div>
    <!-- logout -->
    <div class="flex flex-col py-1.5">
-      <form method="post" action="/logout" hx-boost="false"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
+      <form method="post" action="/logout" hx-boost="false">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" aria-hidden="true" fill="currentColor" class="size-4 shrink-0"><path fill-rule="evenodd" d="M7.5 3.75A1.5 1.5 0 006 5.25v13.5a1.5 1.5 0 001.5 1.5h6a1.5 1.5 0 001.5-1.5V15a.75.75 0 011.5 0v3.75a3 3 0 01-3 3h-6a3 3 0 01-3-3V5.25a3 3 0 013-3h6a3 3 0 013 3V9A.75.75 0 0115 9V5.25a1.5 1.5 0 00-1.5-1.5h-6zm10.72 4.72a.75.75 0 011.06 0l3 3a.75.75 0 010 1.06l-3 3a.75.75 0 11-1.06-1.06l1.72-1.72H9a.75.75 0 010-1.5h10.94l-1.72-1.72a.75.75 0 010-1.06z" clip-rule="evenodd"/></svg>
        {{ t(key="logout", lang=lang | default(value='sk')) }}
      </button></form>
--- a/assets/views/partials/settings_dropdown.html
+++ b/assets/views/partials/settings_dropdown.html
@@ -20,6 +20,7 @@
  class="absolute right-0 mt-2 flex w-56 flex-col overflow-hidden rounded-radius border border-outline bg-surface-alt py-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt"
  role="menu">
  <form method="post" action="/lang" hx-boost="false">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
    <p class="px-4 py-1.5 text-xs font-semibold uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">
      {{ t(key="settings-language", lang=lang | default(value='sk')) }}
    </p>
--- a/assets/views/shop/_card.html
+++ b/assets/views/shop/_card.html
@@ -26,6 +26,7 @@
    <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="in-stock", lang=lang | default(value='sk')) }}: {{ product.stock }}</p>
    <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none"
      hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
      <input type="hidden" name="product_id" value="{{ product.id }}">
      <input type="hidden" name="quantity" value="1">
      {{ ui::button(label=t(key="add-to-cart", lang=lang | default(value='sk')), type="submit", extra="w-full", icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" aria-hidden="true" class="size-3.5"><path fill-rule="evenodd" d="M5 4a3 3 0 0 1 6 0v1h.643a1.5 1.5 0 0 1 1.492 1.35l.7 7A1.5 1.5 0 0 1 12.342 15H3.657a1.5 1.5 0 0 1-1.492-1.65l.7-7A1.5 1.5 0 0 1 4.357 5H5V4Zm4.5 0v1h-3V4a1.5 1.5 0 0 1 3 0Zm-3 3.75a.75.75 0 0 0-1.5 0v1a3 3 0 1 0 6 0v-1a.75.75 0 0 0-1.5 0v1a1.5 1.5 0 1 1-3 0v-1Z" clip-rule="evenodd" /></svg>') }}
--- a/assets/views/shop/_cart_body.html
+++ b/assets/views/shop/_cart_body.html
@@ -27,6 +27,7 @@
             reverting to the previous quantity if the customer cancels. #}
          <form method="post" action="/cart/update"
            hx-post="/cart/update" hx-trigger="cartchange" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
            <input type="hidden" name="product_id" value="{{ item.id }}">
            <input type="number" name="quantity" min="0" max="{{ item.stock }}" value="{{ item.quantity }}"
              @change="
@@ -43,6 +44,7 @@
        <td class="px-4 py-3 text-right">
          <form method="post" action="/cart/remove"
            hx-post="/cart/remove" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
            <input type="hidden" name="product_id" value="{{ item.id }}">
            {{ ui::button(variant="ghost-danger", label=t(key="cart-remove", lang=lang | default(value='sk')), type="submit", size="px-2 py-1 text-xs") }}
          </form>
--- a/assets/views/shop/checkout.html
+++ b/assets/views/shop/checkout.html
@@ -21,7 +21,8 @@
    packetaKey: '{{ packeta_api_key }}',
    fmt(c) { return (c / 100).toFixed(2) },
    pickPoint() {
-      Packeta.Widget.pick(this.packetaKey, (point) => {
+      Packeta.Widget.pick(this.packetaKey, (point) =>
+  {{ ui::csrf_field() }} {
        if (point) { this.pointId = String(point.id); this.pointName = point.formatedValue || point.name }
      })
    },
--- a/assets/views/shop/show.html
+++ b/assets/views/shop/show.html
@@ -63,6 +63,7 @@
    {% if product.stock > 0 %}
    <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none" class="flex flex-wrap items-end gap-3"
      hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
      <input type="hidden" name="product_id" value="{{ product.id }}">
      <div class="space-y-1.5">
        <label for="quantity" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="quantity", lang=lang | default(value='sk')) }}</label>