feat: require csrf token if not using bearer token

public/src/modules/api.js

@@ -5,7 +5,11 @@ define('api', () => {
 	const baseUrl = config.relative_path + '/api/v3';
 
 	function call(options, onSuccess, onError) {
-		$.ajax(options)
+		$.ajax(Object.assign({
+			headers: {
+				'x-csrf-token': config.csrf_token,
+			},
+		}, options))
 			.done((res) => {
 				if (onSuccess) {
 					onSuccess(res.response);

src/middleware/index.js

@@ -48,6 +48,7 @@ middleware.applyCSRF = function (req, res, next) {
 		next();
 	}
 };
+middleware.applyCSRFasync = util.promisify(middleware.applyCSRF);
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 

src/middleware/user.js

@@ -34,6 +34,10 @@ module.exports = function (middleware) {
 		const loginAsync = util.promisify(req.login).bind(req);
 
 		if (req.loggedIn) {
+			if (res.locals.isAPI) {
+				await middleware.applyCSRFasync(req, res);
+			}
+
 			return true;
 		} else if (req.headers.hasOwnProperty('authorization')) {
 			const user = await passportAuthenticateAsync(req, res);