add CSRF checking

2 files changed, 22 insertions, 2 deletions

diff --git a/static/src/assets/api.js b/static/src/assets/api.js
index bec2740..b591764 100644
--- a/static/src/assets/api.js
+++ b/static/src/assets/api.js
@@ -1,3 +1,4 @@
+import * as utils from "/assets/utils.js";
 
 const doFetch = async (req) => {
   let res, jsonRes;
@@ -48,7 +49,15 @@ const solvePow = async () => {
 const call = async (method, route, opts = {}) => {
   const { body = {}, requiresPow = false } = opts;
 
-  const reqOpts = { method };
+  if (!utils.cookies["csrf_token"]) 
+    throw "csrf_token cookie not set, can't make api call";
+
+  const reqOpts = {
+    method,
+    headers: {
+      "X-CSRF-Token": utils.cookies["csrf_token"],
+    },
+  };
 
   if (requiresPow) {
     const {seed, solution} = await solvePow();
@@ -57,7 +66,6 @@ const call = async (method, route, opts = {}) => {
   }
 
   if (Object.keys(body).length > 0) {
-
     const form = new FormData();
     for (const key in body) form.append(key, body[key]);
 
diff --git a/static/src/assets/utils.js b/static/src/assets/utils.js
new file mode 100644
index 0000000..96a2950
--- /dev/null
+++ b/static/src/assets/utils.js
@@ -0,0 +1,12 @@
+const cookies = {};
+const cookieKVs = document.cookie
+  .split(';')
+  .map(cookie => cookie.trim().split('=', 2));
+
+for (const i in cookieKVs) {
+  cookies[cookieKVs[i][0]] = cookieKVs[i][1];
+}
+
+export {
+  cookies,
+}