Skip to content

Commit b734d9c

Browse files
ItsNotGoodNameItsNotGoodName
committed
fix: csrf token updates
1 parent 038bf27 commit b734d9c

File tree

3 files changed

+29
-6
lines changed

3 files changed

+29
-6
lines changed

web/events/events.go

+9-1
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,17 @@
11
// events are used by pages/components packages.
22
package events
33

4-
import "github.com/ItsNotGoodName/smtpbridge/pkg/htmx"
4+
import (
5+
"fmt"
6+
7+
"github.com/ItsNotGoodName/smtpbridge/pkg/htmx"
8+
)
59

610
const (
711
EnvelopeCreated htmx.Event = "envelope-created"
812
RetentionPolicyRun htmx.Event = "retention-policy-run"
913
)
14+
15+
func CSRFToken(csrfToken string) htmx.Event {
16+
return htmx.Event(fmt.Sprintf(`{ "csrfToken": "%s" }`, csrfToken))
17+
}

web/http/controller.go

+6
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"github.com/ItsNotGoodName/smtpbridge/internal/core"
1010
"github.com/ItsNotGoodName/smtpbridge/web"
1111
c "github.com/ItsNotGoodName/smtpbridge/web/components"
12+
"github.com/ItsNotGoodName/smtpbridge/web/events"
1213
"github.com/ItsNotGoodName/smtpbridge/web/meta"
1314
"github.com/ItsNotGoodName/smtpbridge/web/routes"
1415
"github.com/a-h/templ"
@@ -54,10 +55,15 @@ func (ct Controller) Meta(r *http.Request) meta.Meta {
5455

5556
func (ct Controller) Page(w http.ResponseWriter, r *http.Request, body templ.Component) {
5657
csrfToken := csrf.Token(r)
58+
events.CSRFToken(csrfToken).SetTrigger(w)
59+
5760
c.Base(ct.head, body, csrfToken).Render(r.Context(), w)
5861
}
5962

6063
func (ct Controller) Component(w http.ResponseWriter, r *http.Request, body templ.Component) {
64+
csrfToken := csrf.Token(r)
65+
events.CSRFToken(csrfToken).SetTrigger(w)
66+
6167
body.Render(r.Context(), w)
6268
}
6369

web/src/main.ts

+14-5
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,20 @@ import "./index.css"
44

55
import "htmx.org"
66

7-
const csrfToken = (document.getElementsByName("gorilla.csrf.Token").item(0) as HTMLMetaElement).content
8-
9-
document.body.addEventListener('htmx:configRequest', function(evt: any) {
10-
evt.detail.headers['X-CSRF-Token'] = csrfToken;
11-
});
7+
// csrfToken is first loaded from meta tag and then is updated through HX-Trigger HTTP response headers.
8+
// This allows HX-Boost to happen without invalidating previous csrfToken.
9+
{
10+
let csrfToken = (document.getElementsByName("gorilla.csrf.Token").item(0) as HTMLMetaElement).content
11+
12+
document.body.addEventListener("csrfToken", function(evt: any) {
13+
csrfToken = evt.detail.value
14+
})
15+
16+
document.body.addEventListener('htmx:configRequest', function(evt: any) {
17+
// TODO: why can't I use console.log here?
18+
evt.detail.headers['X-CSRF-Token'] = csrfToken;
19+
});
20+
}
1221

1322
// ------------- Toastify
1423

0 commit comments

Comments
 (0)