update csrf initialization

Signed-off-by: Maurice Preuß (envoyr) <envoyr@froxlor.org>

lib/init.php

@@ -314,15 +314,20 @@ $mail = new Mailer(true);
 
 // initialize csrf
 if (CurrentUser::hasSession()) {
-	$new_token = Froxlor::genSessionId(20);
+	// create new csrf token if not set
-	UI::twig()->addGlobal('csrf_token', $new_token);
+	if (!$csrf_token = CurrentUser::getField('csrf_token')) {
-	if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+		$csrf_token = Froxlor::genSessionId(20);
+		CurrentUser::setField('csrf_token', $csrf_token);
+	}
+	// set csrf token for twig
+	UI::twig()->addGlobal('csrf_token', $csrf_token);
+	// check if csrf token is valid
+	if (in_array($_SERVER['REQUEST_METHOD'], ['POST', 'PUT', 'PATCH', 'DELETE'])) {
 		$current_token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
 		if ($current_token != CurrentUser::getField('csrf_token')) {
 			Response::dynamicError('CSRF validation failed');
 		}
 	}
-	CurrentUser::setField('csrf_token', $new_token);
 	// update cookie lifetime
 	$cookie_params = [
 		'expires' => time() + Settings::Get('session.sessiontimeout'),

templates/Froxlor/base.html.twig

@@ -7,7 +7,7 @@
 	<meta name="robots" content="noindex, nofollow, noarchive"/>
 	<meta name="googlebot" content="nosnippet"/>
 	<link rel="icon" type="image/x-icon" href="{{ basehref|default('') }}templates/Froxlor/assets/img/icon.png">
-	<meta name="csrf-token" content="{{ csrf_token }}" />
+	{% if csrf_token %}<meta name="csrf-token" content="{{ csrf_token }}" />{% endif %}
 
 	<!-- CSS -->
 	{% if theme_css is empty %}