fix: pass CSRF token to API-rendered item cards

The explore and hashtag API controllers rendered ap-item-card.njk with
csrfToken: "" causing Like/Boost/Save buttons in tab panels to fail
with 403 Invalid CSRF token. Now generates a proper token from the
session via getToken().

lib/controllers/explore.js

@@ -188,10 +188,11 @@ export function exploreApiController(mountPath) {
       }
 
       // Render each card server-side
+      const csrfToken = getToken(request.session);
       const templateData = {
         ...response.locals,
         mountPath,
-        csrfToken: "",
+        csrfToken,
         interactionMap: {},
       };
 

lib/controllers/hashtag-explore.js

@@ -17,6 +17,7 @@
  */
 
 import { validateHashtag, mapMastodonStatusToItem } from "./explore-utils.js";
+import { getToken } from "../csrf.js";
 
 const FETCH_TIMEOUT_MS = 10_000;
 const PAGE_SIZE = 20;
@@ -183,10 +184,11 @@ export function hashtagExploreApiController(mountPath) {
       );
 
       // Render HTML AFTER merge/dedup/paginate (don't waste CPU on discarded items)
+      const csrfToken = getToken(request.session);
       const templateData = {
         ...response.locals,
         mountPath,
-        csrfToken: "",
+        csrfToken,
         interactionMap: {},
       };
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.0.0",
+  "version": "2.1.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@rmdes/indiekit-endpoint-activitypub",
-      "version": "2.0.0",
+      "version": "2.1.1",
       "license": "MIT",
       "dependencies": {
         "@fedify/debugger": "^2.0.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",