custom JS removed in favor of proper CSRF implementation

2026-06-21 18:22:21 +02:00
parent 86888b3877
commit db6b609937
25 changed files with 94 additions and 72 deletions
--- a/assets/views/shop/_card.html
+++ b/assets/views/shop/_card.html
@@ -26,6 +26,7 @@
    <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="in-stock", lang=lang | default(value='sk')) }}: {{ product.stock }}</p>
    <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none"
      hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
      <input type="hidden" name="product_id" value="{{ product.id }}">
      <input type="hidden" name="quantity" value="1">
      {{ ui::button(label=t(key="add-to-cart", lang=lang | default(value='sk')), type="submit", extra="w-full", icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" aria-hidden="true" class="size-3.5"><path fill-rule="evenodd" d="M5 4a3 3 0 0 1 6 0v1h.643a1.5 1.5 0 0 1 1.492 1.35l.7 7A1.5 1.5 0 0 1 12.342 15H3.657a1.5 1.5 0 0 1-1.492-1.65l.7-7A1.5 1.5 0 0 1 4.357 5H5V4Zm4.5 0v1h-3V4a1.5 1.5 0 0 1 3 0Zm-3 3.75a.75.75 0 0 0-1.5 0v1a3 3 0 1 0 6 0v-1a.75.75 0 0 0-1.5 0v1a1.5 1.5 0 1 1-3 0v-1Z" clip-rule="evenodd" /></svg>') }}
--- a/assets/views/shop/_cart_body.html
+++ b/assets/views/shop/_cart_body.html
@@ -27,6 +27,7 @@
             reverting to the previous quantity if the customer cancels. #}
          <form method="post" action="/cart/update"
            hx-post="/cart/update" hx-trigger="cartchange" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
            <input type="hidden" name="product_id" value="{{ item.id }}">
            <input type="number" name="quantity" min="0" max="{{ item.stock }}" value="{{ item.quantity }}"
              @change="
@@ -43,6 +44,7 @@
        <td class="px-4 py-3 text-right">
          <form method="post" action="/cart/remove"
            hx-post="/cart/remove" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
            <input type="hidden" name="product_id" value="{{ item.id }}">
            {{ ui::button(variant="ghost-danger", label=t(key="cart-remove", lang=lang | default(value='sk')), type="submit", size="px-2 py-1 text-xs") }}
          </form>
--- a/assets/views/shop/checkout.html
+++ b/assets/views/shop/checkout.html
@@ -21,7 +21,8 @@
    packetaKey: '{{ packeta_api_key }}',
    fmt(c) { return (c / 100).toFixed(2) },
    pickPoint() {
-      Packeta.Widget.pick(this.packetaKey, (point) => {
+      Packeta.Widget.pick(this.packetaKey, (point) =>
+  {{ ui::csrf_field() }} {
        if (point) { this.pointId = String(point.id); this.pointName = point.formatedValue || point.name }
      })
    },
--- a/assets/views/shop/show.html
+++ b/assets/views/shop/show.html
@@ -63,6 +63,7 @@
    {% if product.stock > 0 %}
    <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none" class="flex flex-wrap items-end gap-3"
      hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
      <input type="hidden" name="product_id" value="{{ product.id }}">
      <div class="space-y-1.5">
        <label for="quantity" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="quantity", lang=lang | default(value='sk')) }}</label>