stackpress · cblanquera · Apr 16, 2026 · Apr 12, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/stackpress/package.json b/stackpress/package.json
@@ -130,6 +130,19 @@
       "import": "./esm/language/index.js"
     },
 
+    "./csrf": {
+      "require": "./cjs/index.js",
+      "import": "./esm/index.js"
+    },
+    "./csrf/plugin": {
+      "require": "./cjs/csrf/plugin.js",
+      "import": "./esm/csrf/plugin.js"
+    },
+    "./csrf/types": {
+      "require": "./cjs/csrf/types.js",
+      "import": "./esm/csrf/types.js"
+    },
+
     "./AbstractSchema": {
       "require": "./cjs/schema/interface/AbstractSchema.js",
       "import": "./esm/schema/interface/AbstractSchema.js"

diff --git a/stackpress/src/admin/transform/pages/create.ts b/stackpress/src/admin/transform/pages/create.ts
@@ -51,6 +51,12 @@ export default function generate(directory: Directory, model: Model) {
     moduleSpecifier: 'stackpress/admin/types',
     namedImports: [ 'AdminConfig' ]
   });
+  //import type { CsrfPlugin } from '../../types.js';
+  source.addImportDeclaration({
+    isTypeOnly: true,
+    moduleSpecifier: '../../types.js',
+    namedImports: [ 'CsrfPlugin' ]
+  });
 
   //------------------------------------------------------------------//
   // Import Client
@@ -103,6 +109,10 @@ const language = ctx.config.path<LanguageConfig>('language', {
   locale: 'en_US',
   languages: {}
 });
+//get the csrf plugin
+const csrf = ctx.plugin<CsrfPlugin>('csrf');
+//generate token
+csrf.generateToken(res, ctx);
 const admin = ctx.config.path<AdminConfig>('admin', {});
 //set data for template layer
 res.data.set('view', { 
@@ -128,6 +138,8 @@ res.data.set('admin', {
 
 //if form submitted
 if (req.method === 'POST') {
+  //validate csrf
+  if (!csrf.validateToken(req, res)) return;
   //emit the create event
   const response = await ctx.resolve<<%type%>>('<%event%>-create', req, res);
   //if error

diff --git a/stackpress/src/admin/transform/pages/detail/create.ts b/stackpress/src/admin/transform/pages/detail/create.ts
@@ -134,6 +134,10 @@ if (res.body || (res.code && res.code !== 200)) {
   //let the response pass through
   return;
 }
+//get csrf plugin
+const csrf = ctx.plugin<CsrfPlugin>('csrf');
+//generate token
+csrf.generateToken(res, ctx);
 //get the view, brandm lang and admin config
 const view = ctx.config.path<ViewConfig>('view', {});
 const brand = ctx.config.path<BrandConfig>('brand', {});
@@ -183,6 +187,8 @@ if (detail.code !== 200) {
 
 //if form submitted
 if (req.method === 'POST') {
+  //validate csrf
+  if (!csrf.validateToken(req, res)) return;
   //get the form input
   const input = req.data();
   //set the foreign id

diff --git a/stackpress/src/admin/transform/pages/remove.ts b/stackpress/src/admin/transform/pages/remove.ts
@@ -44,6 +44,12 @@ export default function generate(directory: Directory, model: Model) {
     moduleSpecifier: 'stackpress/admin/types',
     namedImports: [ 'AdminConfig' ]
   });
+  //import type { CsrfPlugin } from '../../types.js';
+  source.addImportDeclaration({
+    isTypeOnly: true,
+    moduleSpecifier: '../../types.js',
+    namedImports: [ 'CsrfPlugin' ]
+  });
 
   //------------------------------------------------------------------//
   // Import Client
@@ -75,6 +81,10 @@ if (res.body || (res.code && res.code !== 200)) {
   //let the response pass through
   return;
 }
+//get csrf plugin
+const csrf = ctx.plugin<CsrfPlugin>('csrf');
+//generate token
+csrf.generateToken(res, ctx);
 //get the view, brandm lang and admin config
 const view = ctx.config.path<ViewConfig>('view', {});
 const brand = ctx.config.path<BrandConfig>('brand', {});
@@ -108,6 +118,19 @@ res.data.set('admin', {
 
 //if confirmed
 if (req.data('confirmed')) {
+  //validate csrf
+  if (!csrf.validateToken(req, res)) {
+    res.session.set('flash', JSON.stringify({
+      type: 'error',
+      message: 'This page may have been requested from an external source. ' +
+        'We corrected the issue. Please try again.',
+      close: 2000
+    }));
+    const base = admin.base ?? '/admin';
+    const id = req.data('id');
+    res.redirect(\`\${base}/<%model%>/remove/\${id}\`);
+    return;
+  };
   //emit remove event
   await ctx.emit('<%event%>-remove', req, res);
   //if OK

diff --git a/stackpress/src/admin/transform/pages/restore.ts b/stackpress/src/admin/transform/pages/restore.ts
@@ -44,6 +44,12 @@ export default function generate(directory: Directory, model: Model) {
     moduleSpecifier: 'stackpress/admin/types',
     namedImports: [ 'AdminConfig' ]
   });
+  //import type { CsrfPlugin } from '../../types.js';
+  source.addImportDeclaration({
+    isTypeOnly: true,
+    moduleSpecifier: '../../types.js',
+    namedImports: [ 'CsrfPlugin' ]
+  });
 
   //------------------------------------------------------------------//
   // Import Client
@@ -81,6 +87,10 @@ if (res.body || (res.code && res.code !== 200)) {
   //let the response pass through
   return;
 }
+//get csrf plugin
+const csrf = ctx.plugin<CsrfPlugin>('csrf');
+//generate token
+csrf.generateToken(res, ctx);
 //get the view, brandm lang and admin config
 const view = ctx.config.path<ViewConfig>('view', {});
 const brand = ctx.config.path<BrandConfig>('brand', {});
@@ -120,6 +130,19 @@ res.data.set('admin', {
 
 //if confirmed
 if (req.data('confirmed')) {
+  //validate csrf
+  if (!csrf.validateToken(req, res)) {
+    res.session.set('flash', JSON.stringify({
+      type: 'error',
+      message: 'This page may have been requested from an external source. ' +
+        'We corrected the issue. Please try again.',
+      close: 2000
+    }));
+    const base = admin.base ?? '/admin';
+    const id = req.data('id');
+    res.redirect(\`\${base}/<%model%>/restore/\${id}\`);
+    return;
+  };
   //emit restore event
   await ctx.emit('<%event%>-restore', req, res);
   //if OK

diff --git a/stackpress/src/admin/transform/pages/update.ts b/stackpress/src/admin/transform/pages/update.ts
@@ -44,6 +44,12 @@ export default function generate(directory: Directory, model: Model) {
     moduleSpecifier: 'stackpress/admin/types',
     namedImports: [ 'AdminConfig' ]
   });
+  //import type { CsrfPlugin } from '../../types.js';
+  source.addImportDeclaration({
+    isTypeOnly: true,
+    moduleSpecifier: '../../types.js',
+    namedImports: [ 'CsrfPlugin' ]
+  });
 
   //------------------------------------------------------------------//
   // Import Client
@@ -92,6 +98,10 @@ if (res.body || (res.code && res.code !== 200)) {
   //let the response pass through
   return;
 }
+//get csrf plugin
+const csrf = ctx.plugin<CsrfPlugin>('csrf');
+//generate token
+csrf.generateToken(res, ctx);
 //get the view, brandm lang and admin config
 const view = ctx.config.path<ViewConfig>('view', {});
 const brand = ctx.config.path<BrandConfig>('brand', {});
@@ -125,6 +135,8 @@ res.data.set('admin', {
 
 //if form submitted
 if (req.method === 'POST' || req.method === 'PUT') {
+  //validate csrf
+  if (!csrf.validateToken(req, res)) return;
   //emit update with the fixed fields
   await ctx.emit('<%event%>-update', req, res);
   //if OK

diff --git a/stackpress/src/admin/transform/views/create.ts b/stackpress/src/admin/transform/views/create.ts
@@ -223,8 +223,12 @@ return (
 CREATE_FORM_BODY:
 `const { input, errors } = props;
 const { _ } = useLanguage();
+const { config } = useServer();
+const tokenKey = config.path('csrf.name', 'csrf');
+const token = config.path('csrf.token', '');
 return (
   <form method="post">
+    <input type="hidden" name={tokenKey} value={token} />
     <%fields%>
     <Button className="submit" type="submit">
       <i className="icon fas fa-fw fa-save"></i>

diff --git a/stackpress/src/admin/transform/views/detail/create.ts b/stackpress/src/admin/transform/views/detail/create.ts
@@ -335,8 +335,12 @@ CREATE_FORM_PROPS:
 CREATE_FORM_BODY:
 `const { input, errors } = props;
 const { _ } = useLanguage();
+const { config } = useServer();
+const tokenKey = config.path('csrf.name', 'csrf');
+const token = config.path('csrf.token', '');
 return (
   <form method="post">
+    <input type="hidden" name={tokenKey} value={token} />
     <%fields%>
     <Button className="submit" type="submit">
       <i className="icon fas fa-fw fa-save"></i>

diff --git a/stackpress/src/admin/transform/views/remove.ts b/stackpress/src/admin/transform/views/remove.ts
@@ -217,6 +217,12 @@ REMOVE_FORM_BODY:
 const { base, can, results } = props;
 //hooks
 const { _ } = useLanguage();
+const { config } = useServer();
+//variables
+const tokenKey = config.path('csrf.name', 'csrf');
+const token = config.path('csrf.token', '');
+const paramsObj = { confirmed: true, [tokenKey]: token };
+const params = new URLSearchParams(paramsObj).toString();
 //render
 return (
   <div>
@@ -238,7 +244,7 @@ return (
           <span>{_('Nevermind.')}</span>
         </a>
       )}
-      <a className="action remove" href="?confirmed=true">
+      <a className="action remove" href={'?' + params}>
         <i className="icon fas fa-fw fa-trash"></i>
         <span>{_('Confirmed')}</span>
       </a>

diff --git a/stackpress/src/admin/transform/views/restore.ts b/stackpress/src/admin/transform/views/restore.ts
@@ -217,6 +217,12 @@ RESTORE_FORM_BODY:
 const { base, can, results } = props;
 //hooks
 const { _ } = useLanguage();
+const { config } = useServer();
+//variables
+const tokenKey = config.path('csrf.name', 'csrf');
+const token = config.path('csrf.token', '');
+const paramsObj = { confirmed: true, [tokenKey]: token };
+const params = new URLSearchParams(paramsObj).toString();
 //render
 return (
   <div>
@@ -236,7 +242,7 @@ return (
           <span>{_('Nevermind.')}</span>
         </a>
       )}
-      <a className="action restore" href="?confirmed=true">
+      <a className="action restore" href={'?' + params}>
         <i className="icon fas fa-fw fa-check-circle"></i>
         <span>{_('Confirmed')}</span>
       </a>

diff --git a/stackpress/src/admin/transform/views/update.ts b/stackpress/src/admin/transform/views/update.ts
@@ -246,8 +246,12 @@ UPDATE_FORM_PROPS:
 UPDATE_FORM_BODY:
 `const { input, errors } = props;
 const { _ } = useLanguage();
+const { config } = useServer();
+const tokenKey = config.path('csrf.name', 'csrf');
+const token = config.path('csrf.token', '');
 return (
   <form method="post">
+    <input type="hidden" name={tokenKey} value={token} />
     <%fields%>
     <Button className="submit" type="submit">
       <i className="icon fas fa-fw fa-save"></i>

diff --git a/stackpress/src/csrf/index.ts b/stackpress/src/csrf/index.ts
@@ -0,0 +1,4 @@
+export {
+  CsrfConfig,
+  CsrfPlugin
+} from './types';
diff --git a/stackpress/src/csrf/plugin.ts b/stackpress/src/csrf/plugin.ts
@@ -0,0 +1,71 @@
+//node
+import crypto from 'node:crypto';
+//stackpress
+import Server from '@stackpress/ingest/Server';
+import { type Request, type Response } from '@stackpress/ingest';
+//local
+import { CsrfConfig } from './types';
+import Exception from '../Exception.js';
+
+export default function plugin(ctx: Server) {
+  ctx.on('config', (_req, _res, ctx) => {
+    //if no csrf config, disable csrf
+    if (!ctx.config.get('csrf')) return;
+    //configure and register csrf
+    ctx.register('csrf', {
+      generateToken(res: Response, ctx: Server) {
+        const token = crypto.randomBytes(32).toString('hex');
+        //get csrf name from config
+        const csrf = ctx.config.path<CsrfConfig>('csrf', {});
+        //set new token in session
+        res.session.set(csrf.name || 'csrf', token);
+        //set token in the response data for server side rendering
+        res.data.set('csrf', {
+          name: csrf.name || 'csrf',
+          token: token
+        });
+        //return the token
+        return token;
+      },
+      validateToken(req: Request, res: Response) {
+        //get csrf name from config
+        const name = ctx.config.path<string>('csrf.name', 'csrf');
+        //extract token from session and request
+        const sessionToken = String(req.session.get(name));
+        const inputToken = String(req.data(name));
+
+        //convert tokens to buffers for timingSafeEqual
+        const sessionBuffer = Buffer.from(sessionToken, 'utf-8');
+        const inputBuffer = Buffer.from(inputToken, 'utf-8');
+
+        const errorMessage = `This page may have been requested from an external source. 
+          We corrected the issue. Please try again.`;
+
+        const exception = Exception
+          .for(errorMessage);
+
+        if (sessionBuffer.length !== inputBuffer.length) {
+          res.setError(
+            exception.toResponse(),
+            {},
+            [],
+            419,
+            'Page Expired'
+          );
+          return false;
+        }
+        if (!crypto.timingSafeEqual(sessionBuffer, inputBuffer)) {
+          res.setError(
+            exception.toResponse(),
+            {},
+            [],
+            419,
+            'Page Expired'
+          );
+          return false;
+        }
+        return true;
+      }
+    });
+  });
+}
diff --git a/stackpress/src/csrf/types.ts b/stackpress/src/csrf/types.ts
@@ -0,0 +1,12 @@
+import type Response from '@stackpress/ingest/Response';
+import type Request from '@stackpress/ingest/Request';
+import type Server from '@stackpress/ingest/Server';
+
+export type CsrfConfig = {
+  name?: string | undefined
+};
+
+export type CsrfPlugin = {
+  generateToken(res: Response, ctx: Server): string,
+  validateToken(req: Request, res: Response): boolean
+};
diff --git a/stackpress/src/index.ts b/stackpress/src/index.ts
@@ -210,6 +210,9 @@ export type {
   BuildConfig,
   ProductionConfig,
   ReactusConfig,
+  //stackpress/csrf
+  CsrfConfig,
+  CsrfPlugin,
   //others
   Scalar,
   ExtendsType,

diff --git a/stackpress/src/plugin.ts b/stackpress/src/plugin.ts
@@ -9,6 +9,7 @@ import admin from './admin/plugin.js';
 import language from './language/plugin.js';
 import session from './session/plugin.js';
 import api from './api/plugin.js';
+import csrf from './csrf/plugin.js';
 
 export default async function plugin(server: Server) {
   //load the plugins
@@ -20,4 +21,5 @@ export default async function plugin(server: Server) {
   language(server);
   session(server);
   api(server);
+  csrf(server);
 };