Add to middleware in app's `src/main.zig`:
```zig
pub const jetzig_options = struct {
pub const middleware: []const type = &.{
jetzig.middleware.AntiCsrfMiddleware,
};
};
```
CSRF token available in Zmpl templates:
```
{{context.authenticityToken()}}
```
or render a hidden form element:
```
{{context.authenticityFormElement()}}
```
The following HTML requests are rejected (403 Forbidden) if the
submitted query param does not match the value stored in the encrypted
session (added automatically when the token is generated for a template
value):
* POST
* PUT
* PATCH
* DELETE
JSON requests are not impacted - users should either disable JSON
endpoints or implement a different authentication method to protect
them.
Eradication of `data` arg to requests. We no longer need to pass this
value around as we have a) type inference, b) nested object insertion
via `put` and `append`.
Fix `joinPath` numeric type coercion
Detect empty string params and treat them as blank with expectParams()
Fix error logging/stack trace printing.
Update Zmpl - includes debug tokens + error tracing to source template
in debug builds.
Implement `request.expectParams()` to coerce params to a given struct.
`request.paramsInfo()` provides information about each param (present,
blank, failed + original values and errors where applicable).
Move all route types into a single union and remove leftover junk.
Deprecate view functions that receive a `*jetzig.Data` argument (we will
stay backward-compatible until we have a valid reason to drop support
for legacy view functions - the extra code overhead is pretty minimal).
When an environment variable configures the database name we connect to,
we need to wrap the field access in a comptime check even if the
`orelse` block never runs.
Define `pub const Global = SomeType` at top level in `src/main.zig`,
then create a pointer to `SomeType` and pass to `app.start`:
```
app.start(routes, .{ .global = global });
```
Then access in a view as `request.global`.
