filipriec/kompress_eshop
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

custom JS removed in favor of proper CSRF implementation

Browse Source
This commit is contained in:
Priec
2026-06-21 18:22:21 +02:00
parent 86888b3877
commit db6b609937
25 changed files with 94 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
assets/views/admin/base.html
View File

@@ -43,38 +43,9 @@
{% block head %}{% endblock head %}
<script src="/static/vendor/htmx/htmx-1.9.12.min.js"></script>
<script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
<!-- CSRF: echo the signed `csrf_token` cookie back on every unsafe request.
htmx requests get it as an X-CSRF-Token header; native <form> submits
can't set a header, so a hidden _csrf field is injected instead.
Server side: shared::csrf::protect. -->
<script>
(function () {
function csrfToken() {
var m = document.cookie.split('; ').find(function (c) { return c.indexOf('csrf_token=') === 0; });
return m ? decodeURIComponent(m.split('=').slice(1).join('=')) : '';
}
document.addEventListener('htmx:configRequest', function (e) {
var t = csrfToken();
if (t) e.detail.headers['X-CSRF-Token'] = t;
});
document.addEventListener('submit', function (e) {
var form = e.target;
if (!form || (form.method || '').toLowerCase() !== 'post') return;
var t = csrfToken();
if (!t) return;
var input = form.querySelector('input[name="_csrf"]');
if (!input) {
input = document.createElement('input');
input.type = 'hidden';
input.name = '_csrf';
form.appendChild(input);
}
input.value = t;
}, true);
})();
</script>
</head>
<body
hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
x-data="{ showSidebar: false }"
class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
@@ -126,6 +97,7 @@
{{ t(key="admin-exit", lang=lang | default(value='sk')) }}
</a>
<form method="post" action="/logout">
{{ ui::csrf_field() }}
<button type="submit" class="flex w-full items-center gap-2 rounded-radius px-2 py-1.5 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-danger/5 focus:outline-hidden focus-visible:underline">
{{ t(key="logout", lang=lang | default(value='sk')) }}
</button>