feat: 🔒 add csrf checks

routes/_middleware.ts

@@ -1,4 +1,6 @@
 import { FreshContext } from '$fresh/server.ts'
+import { getCookies, setCookie } from '@std/http/cookie'
+import { SessionStore } from '../src/session/mod.ts'
 
 export async function handler(request: Request, ctx: FreshContext) {
 	// Allow service worker to serve root scope
@@ -7,5 +9,34 @@ export async function handler(request: Request, ctx: FreshContext) {
 	if (url.pathname.endsWith('island-startserviceworker.js')) {
 		response.headers.set('Service-Worker-Allowed', '/')
 	}
+
+	// Start session
+	if (getCookies(request.headers)['_SESSION'] === undefined) {
+		const session = SessionStore.createSession()
+
+		// Set session cookie
+		setCookie(response.headers, {
+			name: '_SESSION',
+			value: session.uuid,
+			httpOnly: true,
+			sameSite: 'Strict',
+			secure: true,
+			expires: SessionStore.maxAge,
+		})
+
+		// Set csrf
+		const csrf = crypto.randomUUID()
+		session.set('_csrf', csrf)
+
+		setCookie(response.headers, {
+			name: '_CSRF',
+			value: csrf,
+			httpOnly: false,
+			sameSite: 'Strict',
+			secure: true,
+			expires: SessionStore.maxAge,
+		})
+	}
+
 	return response
 }