Request a csrftoken before every request

public/src/js/account.js

@@ -397,6 +397,7 @@ class Account{
 	}
 	request(url, obj, get){
 		this.lock(true)
+		var doRequest = token => {
 			return new Promise((resolve, reject) => {
 				var request = new XMLHttpRequest()
 				request.open(get ? "GET" : "POST", "api/" + url)
@@ -423,13 +424,19 @@ class Account{
 				})
 				if(obj){
 					request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
-				request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
+					request.setRequestHeader("X-CSRFToken", token)
 					request.send(JSON.stringify(obj))
 				}else{
 					request.send()
 				}
 			})
 		}
+		if(get){
+			return doRequest()
+		}else{
+			return loader.getCsrfToken().then(doRequest)
+		}
+	}
 	lock(isLocked){
 		this.locked = isLocked
 		if(this.mode === "login" || this.mode === "register"){

public/src/js/loader.js

@@ -396,6 +396,16 @@ class Loader{
 			request.send()
 		})
 	}
+	getCsrfToken(){
+		return this.ajax("api/csrftoken").then(response => {
+			var json = JSON.parse(response)
+			if(json.status === "ok"){
+				return Promise.resolve(json.token)
+			}else{
+				return Promise.reject()
+			}
+		})
+	}
 	clean(error){
 		var fontDetectDiv = document.getElementById("fontdetectHelper")
 		if(fontDetectDiv){

public/src/js/scorestorage.js

@@ -272,6 +272,7 @@ class ScoreStorage{
 	}
 	sendToServer(obj, retry){
 		if(account.loggedIn){
+			return loader.getCsrfToken().then(token => {
 				var request = new XMLHttpRequest()
 				request.open("POST", "api/scores/save")
 				var promise = pageEvents.load(request).then(response => {
@@ -296,8 +297,10 @@ class ScoreStorage{
 					}
 				})
 				request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
+				request.setRequestHeader("X-CSRFToken", token)
 				request.send(JSON.stringify(obj))
 				return promise
+			})
 		}else{
 			return Promise.resolve()
 		}