From ecba2b57484dd51156671b838c8dce5e3d6e0e1f Mon Sep 17 00:00:00 2001
From: Ricardo <rick@rmendes.net>
Date: Sat, 28 Feb 2026 17:31:54 +0100
Subject: [PATCH] fix: pass CSRF token to API-rendered item cards

The explore and hashtag API controllers rendered ap-item-card.njk with
csrfToken: "" causing Like/Boost/Save buttons in tab panels to fail
with 403 Invalid CSRF token. Now generates a proper token from the
session via getToken().
---
 lib/controllers/explore.js         | 3 ++-
 lib/controllers/hashtag-explore.js | 4 +++-
 package-lock.json                  | 4 ++--
 package.json                       | 2 +-
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/controllers/explore.js b/lib/controllers/explore.js
index 7b81335..ea4bea3 100644
--- a/lib/controllers/explore.js
+++ b/lib/controllers/explore.js
@@ -188,10 +188,11 @@ export function exploreApiController(mountPath) {
       }
 
       // Render each card server-side
+      const csrfToken = getToken(request.session);
       const templateData = {
         ...response.locals,
         mountPath,
-        csrfToken: "",
+        csrfToken,
         interactionMap: {},
       };
 
diff --git a/lib/controllers/hashtag-explore.js b/lib/controllers/hashtag-explore.js
index 625c324..cfc39f9 100644
--- a/lib/controllers/hashtag-explore.js
+++ b/lib/controllers/hashtag-explore.js
@@ -17,6 +17,7 @@
  */
 
 import { validateHashtag, mapMastodonStatusToItem } from "./explore-utils.js";
+import { getToken } from "../csrf.js";
 
 const FETCH_TIMEOUT_MS = 10_000;
 const PAGE_SIZE = 20;
@@ -183,10 +184,11 @@ export function hashtagExploreApiController(mountPath) {
       );
 
       // Render HTML AFTER merge/dedup/paginate (don't waste CPU on discarded items)
+      const csrfToken = getToken(request.session);
       const templateData = {
         ...response.locals,
         mountPath,
-        csrfToken: "",
+        csrfToken,
         interactionMap: {},
       };
 
diff --git a/package-lock.json b/package-lock.json
index 064bc91..0ed614d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.0.0",
+  "version": "2.1.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@rmdes/indiekit-endpoint-activitypub",
-      "version": "2.0.0",
+      "version": "2.1.1",
       "license": "MIT",
       "dependencies": {
         "@fedify/debugger": "^2.0.0",
diff --git a/package.json b/package.json
index 534177b..cdb81dd 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",