feat: add automatic CSRF protection for action calls

Generate a per-context CSRF token (128-bit, crypto/rand) and inject it as a Datastar signal (via-csrf) alongside via-ctx. Validate with constant-time comparison on /_action/{id} before executing, returning 403 on mismatch. Transparent to users since Datastar sends all signals automatically. Closes #9
feat: add event types OnSubmit, OnInput, OnFocus, OnBlur, OnMouseEnter, OnMouseLeave, OnScroll, OnDblClick
2026-02-06 11:17:41 -10:00 · 2026-02-06 10:54:27 -10:00 · 2026-02-06 10:34:28 -10:00
5 changed files with 302 additions and 24 deletions
--- a/actiontrigger.go
+++ b/actiontrigger.go
@@ -107,6 +107,54 @@ func (a *actionTrigger) OnChange(options ...ActionTriggerOption) h.H {
 	return h.Data("on:change__debounce.200ms", buildOnExpr(actionURL(a.id), &opts))
 }

+// OnSubmit returns a via.h DOM attribute that triggers on form submit.
+func (a *actionTrigger) OnSubmit(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:submit", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnInput returns a via.h DOM attribute that triggers on input (without debounce).
+func (a *actionTrigger) OnInput(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:input", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnFocus returns a via.h DOM attribute that triggers when the element gains focus.
+func (a *actionTrigger) OnFocus(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:focus", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnBlur returns a via.h DOM attribute that triggers when the element loses focus.
+func (a *actionTrigger) OnBlur(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:blur", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnMouseEnter returns a via.h DOM attribute that triggers when the mouse enters the element.
+func (a *actionTrigger) OnMouseEnter(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:mouseenter", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnMouseLeave returns a via.h DOM attribute that triggers when the mouse leaves the element.
+func (a *actionTrigger) OnMouseLeave(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:mouseleave", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnScroll returns a via.h DOM attribute that triggers on scroll.
+func (a *actionTrigger) OnScroll(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:scroll", buildOnExpr(actionURL(a.id), &opts))
+}
+
+// OnDblClick returns a via.h DOM attribute that triggers on double click.
+func (a *actionTrigger) OnDblClick(options ...ActionTriggerOption) h.H {
+	opts := applyOptions(options...)
+	return h.Data("on:dblclick", buildOnExpr(actionURL(a.id), &opts))
+}
+
 // OnKeyDown returns a via.h DOM attribute that triggers when a key is pressed.
 // key: optional, see https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/key
 // Example: OnKeyDown("Enter")
--- a/configuration.go
+++ b/configuration.go
@@ -1,6 +1,8 @@
 package via

 import (
+	"time"
+
 	"github.com/alexedwards/scs/v2"
 	"github.com/rs/zerolog"
 )
@@ -54,4 +56,9 @@ type Options struct {
 	// PubSub enables publish/subscribe messaging. Use vianats.New() for an
 	// embedded NATS backend, or supply any PubSub implementation.
 	PubSub PubSub
+
+	// ContextTTL is the maximum time a context may exist without an SSE
+	// connection before the background reaper disposes it.
+	// Default: 30s. Negative value disables the reaper.
+	ContextTTL time.Duration
 }
--- a/context.go
+++ b/context.go
@@ -8,6 +8,7 @@ import (
 	"maps"
 	"reflect"
 	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/ryanhamamura/via/h"
@@ -19,6 +20,7 @@ import (
 type Context struct {
 	id                string
 	route             string
+	csrfToken         string
 	app               *V
 	view              func() h.H
 	routeParams       map[string]string
@@ -33,6 +35,8 @@ type Context struct {
 	subscriptions     []Subscription
 	subsMu            sync.Mutex
 	disposeOnce       sync.Once
+	createdAt         time.Time
+	sseConnected      atomic.Bool
 }

 // View defines the UI rendered by this context.
@@ -474,6 +478,7 @@ func newContext(id string, route string, v *V) *Context {
 	return &Context{
 		id:                id,
 		route:             route,
+		csrfToken:         genCSRFToken(),
 		routeParams:       make(map[string]string),
 		app:               v,
 		componentRegistry: make(map[string]*Context),
@@ -481,5 +486,6 @@ func newContext(id string, route string, v *V) *Context {
 		signals:           new(sync.Map),
 		patchChan:         make(chan patch, 1),
 		ctxDisposedChan:   make(chan struct{}, 1),
+		createdAt:         time.Now(),
 	}
 }
--- a/via.go
+++ b/via.go
@@ -10,6 +10,7 @@ import (
 	"context"
 	"crypto/rand"
 	_ "embed"
+	"crypto/subtle"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
@@ -50,6 +51,7 @@ type V struct {
 	datastarPath         string
 	datastarContent      []byte
 	datastarOnce         sync.Once
+	reaperStop           chan struct{}
 }

 func (v *V) logEvent(evt *zerolog.Event, c *Context) *zerolog.Event {
@@ -127,6 +129,9 @@ func (v *V) Config(cfg Options) {
 	if cfg.PubSub != nil {
 		v.pubsub = cfg.PubSub
 	}
+	if cfg.ContextTTL != 0 {
+		v.cfg.ContextTTL = cfg.ContextTTL
+	}
 }

 // AppendToHead appends the given h.H nodes to the head of the base HTML document.
@@ -199,7 +204,7 @@ func (v *V) Page(route string, initContextFn func(c *Context)) {
 		headElements := []h.H{h.Script(h.Type("module"), h.Src(v.datastarPath))}
 		headElements = append(headElements, v.documentHeadIncludes...)
 		headElements = append(headElements,
-			h.Meta(h.Data("signals", fmt.Sprintf("{'via-ctx':'%s'}", id))),
+			h.Meta(h.Data("signals", fmt.Sprintf("{'via-ctx':'%s','via-csrf':'%s'}", id, c.csrfToken))),
 			h.Meta(h.Data("init", "@get('/_sse')")),
 			h.Meta(h.Data("init", fmt.Sprintf(`window.addEventListener('beforeunload', (evt) => {
 			navigator.sendBeacon('/_session/close', '%s');});`, c.id))),
@@ -238,6 +243,14 @@ func (v *V) currSessionNum() int {
 	return len(v.contextRegistry)
 }

+func (v *V) cleanupCtx(c *Context) {
+	c.dispose()
+	if v.cfg.DevMode {
+		v.devModeRemovePersisted(c)
+	}
+	v.unregisterCtx(c)
+}
+
 func (v *V) unregisterCtx(c *Context) {
 	if c.id == "" {
 		v.logErr(c, "unregister ctx failed: ctx contains empty id")
@@ -259,6 +272,50 @@ func (v *V) getCtx(id string) (*Context, error) {
 	return nil, fmt.Errorf("ctx '%s' not found", id)
 }

+func (v *V) startReaper() {
+	ttl := v.cfg.ContextTTL
+	if ttl < 0 {
+		return
+	}
+	if ttl == 0 {
+		ttl = 30 * time.Second
+	}
+	interval := ttl / 3
+	if interval < 5*time.Second {
+		interval = 5 * time.Second
+	}
+	v.reaperStop = make(chan struct{})
+	go func() {
+		ticker := time.NewTicker(interval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-v.reaperStop:
+				return
+			case <-ticker.C:
+				v.reapOrphanedContexts(ttl)
+			}
+		}
+	}()
+}
+
+func (v *V) reapOrphanedContexts(ttl time.Duration) {
+	now := time.Now()
+	v.contextRegistryMutex.RLock()
+	var orphans []*Context
+	for _, c := range v.contextRegistry {
+		if !c.sseConnected.Load() && now.Sub(c.createdAt) > ttl {
+			orphans = append(orphans, c)
+		}
+	}
+	v.contextRegistryMutex.RUnlock()
+
+	for _, c := range orphans {
+		v.logInfo(c, "reaping orphaned context (no SSE connection after %s)", ttl)
+		v.cleanupCtx(c)
+	}
+}
+
 // Start starts the Via HTTP server and blocks until a SIGINT or SIGTERM
 // signal is received, then performs a graceful shutdown.
 func (v *V) Start() {
@@ -271,6 +328,8 @@ func (v *V) Start() {
 		Handler: handler,
 	}

+	v.startReaper()
+
 	errCh := make(chan error, 1)
 	go func() {
 		errCh <- v.server.ListenAndServe()
@@ -301,6 +360,9 @@ func (v *V) Shutdown() {
 }

 func (v *V) shutdown() {
+	if v.reaperStop != nil {
+		close(v.reaperStop)
+	}
 	v.logInfo(nil, "draining all contexts")
 	v.drainAllContexts()

@@ -400,10 +462,7 @@ func (v *V) devModeRemovePersisted(c *Context) {
 	}
 	file.Close()

-	// remove ctx to persisted list
-	if _, ok := ctxRegMap[c.id]; !ok {
 	delete(ctxRegMap, c.id)
-	}

 	// write persisted list to file
 	file, err = os.Create(p)
@@ -507,6 +566,7 @@ func New() *V {
 		// use last-event-id to tell if request is a sse reconnect
 		sse.Send(datastar.EventTypePatchElements, []string{}, datastar.WithSSEEventId("via"))

+		c.sseConnected.Store(true)
 		v.logDebug(c, "SSE connection established")

 		go func() {
@@ -517,6 +577,7 @@ func New() *V {
 			select {
 			case <-sse.Context().Done():
 				v.logDebug(c, "SSE connection ended")
+				v.cleanupCtx(c)
 				return
 			case <-c.ctxDisposedChan:
 				v.logDebug(c, "context disposed, closing SSE")
@@ -572,6 +633,12 @@ func New() *V {
 			v.logErr(nil, "action '%s' failed: %v", actionID, err)
 			return
 		}
+		csrfToken, _ := sigs["via-csrf"].(string)
+		if subtle.ConstantTimeCompare([]byte(csrfToken), []byte(c.csrfToken)) != 1 {
+			v.logWarn(c, "action '%s' rejected: invalid CSRF token", actionID)
+			http.Error(w, "invalid CSRF token", http.StatusForbidden)
+			return
+		}
 		c.reqCtx = r.Context()
 		actionFn, err := c.getActionFn(actionID)
 		if err != nil {
@@ -603,12 +670,8 @@ func New() *V {
 			v.logErr(c, "failed to handle session close: %v", err)
 			return
 		}
-		c.dispose()
 		v.logDebug(c, "session close event triggered")
-		if v.cfg.DevMode {
-			v.devModeRemovePersisted(c)
-		}
-		v.unregisterCtx(c)
+		v.cleanupCtx(c)
 	})
 	return v
 }
@@ -619,6 +682,12 @@ func genRandID() string {
 	return hex.EncodeToString(b)[:8]
 }

+func genCSRFToken() string {
+	b := make([]byte, 16)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
 func extractParams(pattern, path string) map[string]string {
 	p := strings.Split(strings.Trim(pattern, "/"), "/")
 	u := strings.Split(strings.Trim(path, "/"), "/")
--- a/via_test.go
+++ b/via_test.go
@@ -1,9 +1,13 @@
 package via

 import (
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
+	"time"

 	"github.com/ryanhamamura/via/h"
 	"github.com/stretchr/testify/assert"
@@ -128,6 +132,60 @@ func TestAction(t *testing.T) {
 	assert.Contains(t, body, "/_action/")
 }

+func TestEventTypes(t *testing.T) {
+	tests := []struct {
+		name     string
+		attr     string
+		buildEl  func(trigger *actionTrigger) h.H
+	}{
+		{"OnSubmit", "data-on:submit", func(tr *actionTrigger) h.H { return h.Form(tr.OnSubmit()) }},
+		{"OnInput", "data-on:input", func(tr *actionTrigger) h.H { return h.Input(tr.OnInput()) }},
+		{"OnFocus", "data-on:focus", func(tr *actionTrigger) h.H { return h.Input(tr.OnFocus()) }},
+		{"OnBlur", "data-on:blur", func(tr *actionTrigger) h.H { return h.Input(tr.OnBlur()) }},
+		{"OnMouseEnter", "data-on:mouseenter", func(tr *actionTrigger) h.H { return h.Div(tr.OnMouseEnter()) }},
+		{"OnMouseLeave", "data-on:mouseleave", func(tr *actionTrigger) h.H { return h.Div(tr.OnMouseLeave()) }},
+		{"OnScroll", "data-on:scroll", func(tr *actionTrigger) h.H { return h.Div(tr.OnScroll()) }},
+		{"OnDblClick", "data-on:dblclick", func(tr *actionTrigger) h.H { return h.Div(tr.OnDblClick()) }},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var trigger *actionTrigger
+			v := New()
+			v.Page("/", func(c *Context) {
+				trigger = c.Action(func() {})
+				c.View(func() h.H { return tt.buildEl(trigger) })
+			})
+
+			req := httptest.NewRequest("GET", "/", nil)
+			w := httptest.NewRecorder()
+			v.mux.ServeHTTP(w, req)
+			body := w.Body.String()
+			assert.Contains(t, body, tt.attr)
+			assert.Contains(t, body, "/_action/"+trigger.id)
+		})
+	}
+
+	t.Run("WithSignal", func(t *testing.T) {
+		var trigger *actionTrigger
+		var sig *signal
+		v := New()
+		v.Page("/", func(c *Context) {
+			trigger = c.Action(func() {})
+			sig = c.Signal("val")
+			c.View(func() h.H {
+				return h.Div(trigger.OnDblClick(WithSignal(sig, "x")))
+			})
+		})
+
+		req := httptest.NewRequest("GET", "/", nil)
+		w := httptest.NewRecorder()
+		v.mux.ServeHTTP(w, req)
+		body := w.Body.String()
+		assert.Contains(t, body, "data-on:dblclick")
+		assert.Contains(t, body, "$"+sig.ID()+"=&#39;x&#39;")
+	})
+}
+
 func TestOnKeyDownWithWindow(t *testing.T) {
 	var trigger *actionTrigger
 	v := New()
@@ -235,3 +293,93 @@ func TestPage_PanicsOnNoView(t *testing.T) {
 		v.Page("/", func(c *Context) {})
 	})
 }
+
+func TestReaperCleansOrphanedContexts(t *testing.T) {
+	v := New()
+	c := newContext("orphan-1", "/", v)
+	c.createdAt = time.Now().Add(-time.Minute) // created 1 min ago
+	v.registerCtx(c)
+
+	_, err := v.getCtx("orphan-1")
+	assert.NoError(t, err)
+
+	v.reapOrphanedContexts(10 * time.Second)
+
+	_, err = v.getCtx("orphan-1")
+	assert.Error(t, err, "orphaned context should have been reaped")
+}
+
+func TestReaperIgnoresConnectedContexts(t *testing.T) {
+	v := New()
+	c := newContext("connected-1", "/", v)
+	c.createdAt = time.Now().Add(-time.Minute)
+	c.sseConnected.Store(true)
+	v.registerCtx(c)
+
+	v.reapOrphanedContexts(10 * time.Second)
+
+	_, err := v.getCtx("connected-1")
+	assert.NoError(t, err, "connected context should survive reaping")
+}
+
+func TestReaperDisabledWithNegativeTTL(t *testing.T) {
+	v := New()
+	v.cfg.ContextTTL = -1
+	v.startReaper()
+	assert.Nil(t, v.reaperStop, "reaper should not start with negative TTL")
+}
+
+func TestCleanupCtxIdempotent(t *testing.T) {
+	v := New()
+	c := newContext("idempotent-1", "/", v)
+	v.registerCtx(c)
+
+	assert.NotPanics(t, func() {
+		v.cleanupCtx(c)
+		v.cleanupCtx(c)
+	})
+
+	_, err := v.getCtx("idempotent-1")
+	assert.Error(t, err, "context should be removed after cleanup")
+}
+
+func TestDevModeRemovePersistedFix(t *testing.T) {
+	v := New()
+	v.cfg.DevMode = true
+
+	dir := filepath.Join(t.TempDir(), ".via", "devmode")
+	p := filepath.Join(dir, "ctx.json")
+	assert.NoError(t, os.MkdirAll(dir, 0755))
+
+	// Write a persisted context
+	ctxRegMap := map[string]string{"test-ctx-1": "/"}
+	f, err := os.Create(p)
+	assert.NoError(t, err)
+	assert.NoError(t, json.NewEncoder(f).Encode(ctxRegMap))
+	f.Close()
+
+	// Patch devModeRemovePersisted to use our temp path by calling it
+	// directly — we need to override the path. Instead, test via the
+	// actual function by temporarily changing the working dir.
+	origDir, _ := os.Getwd()
+	assert.NoError(t, os.Chdir(t.TempDir()))
+	defer os.Chdir(origDir)
+
+	// Re-create the structure in the temp dir
+	assert.NoError(t, os.MkdirAll(filepath.Join(".via", "devmode"), 0755))
+	p2 := filepath.Join(".via", "devmode", "ctx.json")
+	f2, _ := os.Create(p2)
+	json.NewEncoder(f2).Encode(map[string]string{"test-ctx-1": "/"})
+	f2.Close()
+
+	c := newContext("test-ctx-1", "/", v)
+	v.devModeRemovePersisted(c)
+
+	// Read back and verify
+	f3, err := os.Open(p2)
+	assert.NoError(t, err)
+	defer f3.Close()
+	var result map[string]string
+	assert.NoError(t, json.NewDecoder(f3).Decode(&result))
+	assert.Empty(t, result, "persisted context should be removed")
+}