fix: 403/400/500 page not generating csrf_token

src/controllers/404.js

@@ -55,10 +55,6 @@ exports.send404 = async function (req, res) {
 		});
 	}
 
-	if (req.method === 'GET') {
-		await middleware.applyCSRFasync(req, res);
-	}
-
 	await middleware.buildHeaderAsync(req, res);
 	await res.render('404', {
 		path: validator.escape(path),

src/controllers/errors.js

@@ -79,9 +79,6 @@ exports.handleErrors = async function handleErrors(err, req, res, next) { // esl
 		if (res.locals.isAPI) {
 			res.json(data);
 		} else {
-			if (req.method === 'GET') {
-				await middleware.applyCSRFasync(req, res);
-			}
 			await middleware.buildHeaderAsync(req, res);
 			res.render('500', data);
 		}

src/middleware/admin.js

@@ -22,6 +22,9 @@ const middleware = module.exports;
 
 middleware.buildHeader = helpers.try(async (req, res, next) => {
 	res.locals.renderAdminHeader = true;
+	if (req.method === 'GET') {
+		await require('./index').applyCSRFasync(req, res);
+	}
 	res.locals.config = await controllers.api.loadConfig(req);
 	next();
 });

src/middleware/header.js

@@ -31,6 +31,9 @@ const relative_path = nconf.get('relative_path');
 middleware.buildHeader = helpers.try(async (req, res, next) => {
 	res.locals.renderHeader = true;
 	res.locals.isAPI = false;
+	if (req.method === 'GET') {
+		await require('./index').applyCSRFasync(req, res);
+	}
 	const [config, canLoginIfBanned] = await Promise.all([
 		controllers.api.loadConfig(req),
 		user.bans.canLoginIfBanned(req.uid),

src/routes/helpers.js

@@ -32,7 +32,6 @@ helpers.setupPageRoute = function (router, name, middleware, middlewares, contro
 	router.get(
 		name,
 		middleware.busyCheck,
-		middleware.applyCSRF,
 		middlewares,
 		middleware.buildHeader,
 		helpers.tryRoute(controller)