CSRF

// request.form() validates the CSRF token before filling the form fields.
pub async fn registration(mut request: Request) -> AppResult<Response> {
    let mut form: RegisterForm = request.form();
    if request.is_post() && form.is_valid().await {
        // Secure processing — CSRF has been validated
        return Ok(Redirect::to("/profile").into_response());
    }
    context_update!(request => { "form" => &form });
    request.render("auth/registration.html")
}

<form method="POST" action="{% link "registration" %}">
    {# Full render — CSRF included automatically #}
    {% form.registration_form %}
    <button type="submit">Sign up</button>
</form>

{# Field-by-field render — CSRF always included automatically #}
<form method="POST" action="{% link "registration" %}">
    {% form.registration_form.username %}
    {% form.registration_form.password %}
    <button type="submit">Sign up</button>
</form>

// GET  → token generated, stored in session, injected into Tera context
// POST → request.form() extracts the token from the body, compares in constant-time
//        (via subtle::ConstantTimeEq to prevent timing attacks)

// If the token is invalid or missing:
//   → empty form + CSRF error message
//   → the handler body does not process the form

// The token is tied to the session — it changes with each new session.