custom JS removed in favor of proper CSRF implementation

src/initializers/view_engine.rs

@@ -6,6 +6,7 @@ use loco_rs::{
     controller::views::{engines, ViewEngine},
     Error, Result,
 };
+use std::collections::HashMap;
 use tracing::info;
 
 const I18N_DIR: &str = "assets/i18n";
@@ -35,10 +36,27 @@ impl Initializer for ViewEngineInitializer {
 
             engines::TeraView::build()?.post_process(move |tera| {
                 tera.register_function("t", FluentLoader::new(arc.clone()));
+                // `csrf_token()`: the in-flight request's CSRF token (bound by
+                // `shared::csrf::protect`), rendered into `<body hx-headers>`
+                // and `ui::csrf_field()`. Inlined so its `tera::Error` return is
+                // inferred from `register_function` — we never name a `tera`
+                // type, keeping it off our direct deps and pinned to loco's.
+                tera.register_function("csrf_token", |_args: &HashMap<String, serde_json::Value>| {
+                    Ok(serde_json::Value::String(
+                        crate::shared::csrf::current_token().unwrap_or_default(),
+                    ))
+                });
                 Ok(())
             })?
         } else {
-            engines::TeraView::build()?
+            engines::TeraView::build()?.post_process(|tera| {
+                tera.register_function("csrf_token", |_args: &HashMap<String, serde_json::Value>| {
+                    Ok(serde_json::Value::String(
+                        crate::shared::csrf::current_token().unwrap_or_default(),
+                    ))
+                });
+                Ok(())
+            })?
         };
 
         Ok(router.layer(Extension(ViewEngine::from(tera_engine))))