CSRF in Javascript applications

[leodip]

Hi,

I'm trying to understand how to properly use Gorilla CSRF in Javascript applications.

In my application, I include the hidden field with the CSRF token, like this:

bind := map[string]interface{} {
		"csrfField":    csrf.TemplateField(r),
}

<input type="hidden" name="gorilla.csrf.Token" value="3jCudIoHw/pMIeP4wsvgM1AmR8n2rKmob0v66FWKP0kqxjj1gSWaLDLAmKIslnKCc4n7SbgxFEe4hqHrNI2bvA==">

Then, I have some Javascript events that might POST (ajax) to the server, for example:

<button onclick="sendVerificationEmail(event);" id="btnSendVerificationEmail"
                        class="btn btn-primary mt-4 ml-4">Send verification email</button>

function sendVerificationEmail(evt) {

        evt.preventDefault();

        fetch("/account/email-send-verification", {
            method: "POST",
            body: JSON.stringify({}),
            headers: {
                "Content-type": "application/json; charset=UTF-8",
                "X-CSRF-Token": document.getElementsByName("gorilla.csrf.Token")[0].value
            }
        })
        .then((response) => response.json())
        .then((json) => console.log(json));
    }

As you can see, the way I'm passing the token to the server is by reading the value from gorilla.csrf.Token input field.

My question is: if my page needs to make multiple javascript POST requests to the server, can I use the same CSRF token (from the input field) in all of the requests?

Or... for each request, I need to renew the CSRF token in the server, and use a new token for each subsequent request?

Thanks!

@elithrar - if you have a spare minute and could add a comment here I'd appreciate it 🙂