added CSRF protection using csurf express middleware, fixes #455

src/public/javascripts/desktop.js

@@ -98,7 +98,8 @@ $(document).on("click", "button[data-help-page]", e => {
 $("#logout-button").toggle(!utils.isElectron());
 
 $("#logout-button").click(() => {
-    const $logoutForm = $('<form action="logout" method="POST">');
+    const $logoutForm = $('<form action="logout" method="POST">')
+                            .append($(`<input type="hidden" name="_csrf" value="${glob.csrfToken}"/>`));
 
     $("body").append($logoutForm);
     $logoutForm.submit();

src/public/javascripts/services/server.js

@@ -1,4 +1,3 @@
-import protectedSessionHolder from './protected_session_holder.js';
 import utils from './utils.js';
 import infoService from "./info.js";
 
@@ -7,7 +6,8 @@ function getHeaders() {
     // so hypothetical protectedSessionId becomes protectedsessionid on the backend
     // also avoiding using underscores instead of dashes since nginx filters them out by default
     return {
-        'trilium-source-id': glob.sourceId
+        'trilium-source-id': glob.sourceId,
+        'x-csrf-token': glob.csrfToken
     };
 }