From 08811a6da78c3f1f973b8f50a337ff4dc4ed9e2c Mon Sep 17 00:00:00 2001
From: Brian Picciano <mediocregopher@gmail.com>
Date: Tue, 24 May 2022 17:42:00 -0600
Subject: Replace CSRF token checking with Referer checking

---
 srv/src/http/tpl/assets.html    |  6 ------
 srv/src/http/tpl/edit-post.html |  4 ----
 srv/src/http/tpl/load-csrf.html | 13 -------------
 srv/src/http/tpl/posts.html     |  5 -----
 4 files changed, 28 deletions(-)
 delete mode 100644 srv/src/http/tpl/load-csrf.html

(limited to 'srv/src/http/tpl')

diff --git a/srv/src/http/tpl/assets.html b/srv/src/http/tpl/assets.html
index 86e0ba5..41d470c 100644
--- a/srv/src/http/tpl/assets.html
+++ b/srv/src/http/tpl/assets.html
@@ -1,7 +1,5 @@
 {{ define "body" }}
 
-{{ $csrfFormInput := .CSRFFormInput }}
-
 <h2>Upload Asset</h2>
 
 <p>
@@ -10,7 +8,6 @@
 </p>
 
 <form action="{{ BlogURL "assets/" }}" method="POST" enctype="multipart/form-data">
-  {{ $csrfFormInput }}
   <div class="row">
     <div class="four columns">
       <input type="text" placeholder="Unique ID" name="id" />
@@ -37,7 +34,6 @@
           method="POST"
           style="margin-bottom: 0;"
           >
-          {{ $csrfFormInput }}
           <input type="submit" value="Delete" />
         </form>
       </td>
@@ -46,8 +42,6 @@
 
 </table>
 
-{{ template "load-csrf.html" . }}
-
 {{ end }}
 
 {{ template "base.html" . }}
diff --git a/srv/src/http/tpl/edit-post.html b/srv/src/http/tpl/edit-post.html
index 48af882..1a81df4 100644
--- a/srv/src/http/tpl/edit-post.html
+++ b/srv/src/http/tpl/edit-post.html
@@ -2,8 +2,6 @@
 
   <form method="POST" action="{{ BlogURL "posts/" }}">
 
-    {{ .CSRFFormInput }}
-
     <div class="row">
 
       <div class="columns six">
@@ -99,8 +97,6 @@
 
   </form>
 
-  {{ template "load-csrf.html" . }}
-
 {{ end }}
 
 {{ template "base.html" . }}
diff --git a/srv/src/http/tpl/load-csrf.html b/srv/src/http/tpl/load-csrf.html
deleted file mode 100644
index b0757f9..0000000
--- a/srv/src/http/tpl/load-csrf.html
+++ /dev/null
@@ -1,13 +0,0 @@
-<script async type="module" src="{{ StaticURL "api.js" }}"></script>
-
-<script type="text/javascript">
-  (async () => {
-    const api = await import("{{ StaticURL "api.js" }}");
-    const res = await api.call("/api/csrf");
-
-    const els = document.getElementsByClassName("csrfHiddenInput");
-    for (let i = 0; i < els.length; i++) {
-      els[i].value = res.CSRFToken;
-    }
-  })();
-</script>
diff --git a/srv/src/http/tpl/posts.html b/srv/src/http/tpl/posts.html
index 0609ff6..885018d 100644
--- a/srv/src/http/tpl/posts.html
+++ b/srv/src/http/tpl/posts.html
@@ -18,8 +18,6 @@
 
 {{ define "body" }}
 
-  {{ $csrfFormInput := .CSRFFormInput }}
-
   <p style="text-align: center;">
     <a href="{{ BlogURL "posts/" }}?edit">
       <button>New Post</button>
@@ -44,7 +42,6 @@
             action="{{ PostURL .ID }}?method=delete"
             method="POST"
             >
-            {{ $csrfFormInput }}
             <input type="submit" value="Delete" />
           </form>
         </td>
@@ -55,8 +52,6 @@
 
   {{ template "posts-nextprev" . }}
 
-  {{ template "load-csrf.html" . }}
-
 {{ end }}
 
 {{ template "base.html" . }}
-- 
cgit v1.2.3