add csrf protection

app/__init__.py

@@ -10,12 +10,13 @@ from .constants import (
     )
 from .lib.babycode import babycode_to_html, babycode_to_rssxml, EMOJI, BABYCODE_VERSION
 from .lib.exceptions import SiteNameMissingException
-from .util import get_post_url, dict_to_query_string
+from .util import get_post_url, dict_to_query_string, csrf_input, get_csrf_token
 from datetime import datetime, timezone
 from flask_caching import Cache
 import os
 import time
 import secrets
+import hmac
 import tomllib
 import json
 
@@ -238,6 +239,17 @@ def create_app():
                 session.clear()
                 return redirect(url_for('topics.all_topics'))
 
+    @app.before_request
+    def generate_csrf_token():
+        if is_logged_in() and not session.get('csrf'):
+            rng = secrets.token_bytes(32)
+            session_key = session['pyrom_session_key']
+            message = f'd${len(session_key)}${session_key}@{len(rng)}@{rng.hex()}'
+            hashed = hmac.digest(app.config['SECRET_KEY'].encode('utf-8'), message.encode('utf-8'), 'SHA256')
+            csrf_token = f'{hashed.hex()}.{rng.hex()}'
+
+            session['csrf'] = csrf_token
+
     commit = ''
     with open('.git/refs/heads/main') as f:
         commit = f.read().strip()
@@ -264,6 +276,8 @@ def create_app():
             'is_mod': lambda: is_logged_in() and get_active_user().is_mod(),
             'get_active_user': get_active_user,
             'get_post_url': get_post_url,
+            'csrf_input': csrf_input,
+            'get_csrf_token': get_csrf_token,
         }
 
     @app.template_filter('ts_datetime')