fix: pass CSRF token to API-rendered item cards

The explore and hashtag API controllers rendered ap-item-card.njk with csrfToken: "" causing Like/Boost/Save buttons in tab panels to fail with 403 Invalid CSRF token. Now generates a proper token from the session via getToken().
2026-02-28 17:31:54 +01:00
parent 35f1f13096
commit ecba2b5748
4 changed files with 8 additions and 5 deletions
@@ -188,10 +188,11 @@ export function exploreApiController(mountPath) {
      }
      // Render each card server-side
      const csrfToken = getToken(request.session);
      const templateData = {
        ...response.locals,
        mountPath,
-        csrfToken: "",
+        csrfToken,
        interactionMap: {},
      };
@@ -17,6 +17,7 @@
 */
 import { validateHashtag, mapMastodonStatusToItem } from "./explore-utils.js";
 import { getToken } from "../csrf.js";
 const FETCH_TIMEOUT_MS = 10_000;
 const PAGE_SIZE = 20;
@@ -183,10 +184,11 @@ export function hashtagExploreApiController(mountPath) {
      );
      // Render HTML AFTER merge/dedup/paginate (don't waste CPU on discarded items)
      const csrfToken = getToken(request.session);
      const templateData = {
        ...response.locals,
        mountPath,
-        csrfToken: "",
+        csrfToken,
        interactionMap: {},
      };
@@ -1,12 +1,12 @@
 {
  "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.0.0",
+  "version": "2.1.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@rmdes/indiekit-endpoint-activitypub",
-      "version": "2.0.0",
+      "version": "2.1.1",
      "license": "MIT",
      "dependencies": {
        "@fedify/debugger": "^2.0.0",
@@ -1,6 +1,6 @@
 {
  "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.1.0",
+  "version": "2.1.1",
  "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
  "keywords": [
    "indiekit",