fix: add CSRF tokens to HTMX endpoints and fetch calls (wd-cz1)

- Add global htmx:configRequest listener to auto-inject CSRF token on non-GET requests
- Add authenticityToken to bookmark.js and reading-tracker.js fetch POST calls
- Add CSRF tokens to blog show.cfm hx-post elements

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bpamiri

app/views/web/BlogController/show.cfm

@@ -296,10 +296,15 @@
                 if (rect.top <= window.innerHeight - 50) {
                     completed = true;
                     const blogId = document.querySelector('[data-blog-id]').getAttribute('data-blog-id');
+                    var csrfToken = document.querySelector('meta[name="csrf-token"]');
+                    var tokenVal = csrfToken ? csrfToken.getAttribute('content') : '';
                     fetch('/reading-history/complete', {
                         method: 'POST',
-                        headers: {'Content-Type': 'application/x-www-form-urlencoded'},
-                        body: 'blogId=' + blogId
+                        headers: {
+                            'Content-Type': 'application/x-www-form-urlencoded',
+                            'X-CSRF-TOKEN': tokenVal
+                        },
+                        body: 'blogId=' + blogId + '&authenticityToken=' + encodeURIComponent(tokenVal)
                     });
                 }
             }

public/javascripts/adminglobal.js

@@ -1,17 +1,22 @@
 // Bookmark toggle
 function toggleBookmark(blogId, button) {
+  var token = document.querySelector('meta[name="csrf-token"]');
+  var tokenValue = token ? token.getAttribute('content') : '';
   fetch('/bookmark/toggle', {
     method: 'POST',
-    headers: {'Content-Type': 'application/json'},
+    headers: {
+      'Content-Type': 'application/json',
+      'X-CSRF-TOKEN': tokenValue
+    },
     body: JSON.stringify({blogId: blogId})
   })
   .then(response => response.json())
   .then(data => {
     if (data.bookmarked) {
-      button.innerHTML = '★ Bookmarked';
+      button.textContent = '\u2605 Bookmarked';
       button.classList.add('bookmarked');
     } else {
-      button.innerHTML = '☆ Bookmark';
+      button.textContent = '\u2606 Bookmark';
       button.classList.remove('bookmarked');
     }
   });

public/javascripts/bookmark.js

@@ -3,6 +3,8 @@ class ReadingTracker {
   constructor(blogId) {
     this.blogId = blogId;
     this.trackingInterval = null;
+    var tokenEl = document.querySelector('meta[name="csrf-token"]');
+    this.csrfToken = tokenEl ? tokenEl.getAttribute('content') : '';
     this.init();
   }
 
@@ -26,15 +28,21 @@ class ReadingTracker {
   trackRead() {
     fetch('/reading-history/track', {
       method: 'POST',
-      headers: {'Content-Type': 'application/json'},
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-TOKEN': this.csrfToken
+      },
       body: JSON.stringify({blogId: this.blogId})
     });
   }
 
   markComplete() {
     fetch('/reading-history/complete', {
       method: 'POST',
-      headers: {'Content-Type': 'application/json'},
+      headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-TOKEN': this.csrfToken
+      },
       body: JSON.stringify({blogId: this.blogId})
     });
     clearInterval(this.trackingInterval);