@rmdes/indiekit-endpoint-microsub 1.0.54 → 1.0.56

package/lib/storage/channels.js

@@ -112,8 +112,35 @@ export async function createChannel(application, { name, userId }) {
   return channel;
 }
 
-// Retention period for unread count (only count recent items)
-const UNREAD_RETENTION_DAYS = 30;
+import { UNREAD_RETENTION_DAYS } from "../utils/constants.js";
+
+/**
+ * Get unread counts for multiple channels in a single aggregation query.
+ * Replaces the N+1 countDocuments pattern.
+ * @param {object} itemsCollection - MongoDB items collection
+ * @param {Array<import("mongodb").ObjectId>} channelIds - Channel IDs
+ * @param {string} userId - User ID
+ * @returns {Promise<Map<string, number>>} Map of channelId string → unread count
+ */
+async function getUnreadCounts(itemsCollection, channelIds, userId) {
+  const cutoffDate = new Date();
+  cutoffDate.setDate(cutoffDate.getDate() - UNREAD_RETENTION_DAYS);
+
+  const pipeline = [
+    {
+      $match: {
+        channelId: { $in: channelIds },
+        readBy: { $ne: userId },
+        published: { $gte: cutoffDate },
+        _stripped: { $ne: true },
+      },
+    },
+    { $group: { _id: "$channelId", count: { $sum: 1 } } },
+  ];
+
+  const results = await itemsCollection.aggregate(pipeline).toArray();
+  return new Map(results.map((r) => [r._id.toString(), r.count]));
+}
 
 /**
  * Get all channels for a user
@@ -133,27 +160,18 @@ export async function getChannels(application, userId) {
     .sort({ order: 1 })
     .toArray();
 
-  // Calculate cutoff date for unread counts (only count recent items)
-  const cutoffDate = new Date();
-  cutoffDate.setDate(cutoffDate.getDate() - UNREAD_RETENTION_DAYS);
-
-  // Get unread counts for each channel (only recent items)
-  const channelsWithCounts = await Promise.all(
-    channels.map(async (channel) => {
-      const unreadCount = await itemsCollection.countDocuments({
-        channelId: channel._id,
-        readBy: { $ne: userId },
-        published: { $gte: cutoffDate },
-        _stripped: { $ne: true },
-      });
-
-      return {
-        uid: channel.uid,
-        name: channel.name,
-        unread: unreadCount > 0 ? unreadCount : false,
-      };
-    }),
-  );
+  // Single aggregation query for all channel unread counts
+  const channelIds = channels.map((c) => c._id);
+  const unreadMap = await getUnreadCounts(itemsCollection, channelIds, userId);
+
+  const channelsWithCounts = channels.map((channel) => {
+    const unreadCount = unreadMap.get(channel._id.toString()) || 0;
+    return {
+      uid: channel.uid,
+      name: channel.name,
+      unread: unreadCount > 0 ? unreadCount : false,
+    };
+  });
 
   // Always include notifications channel first
   const notificationsChannel = channelsWithCounts.find(
@@ -189,25 +207,18 @@ export async function getChannelsWithColors(application, userId) {
     .sort({ order: 1 })
     .toArray();
 
-  const cutoffDate = new Date();
-  cutoffDate.setDate(cutoffDate.getDate() - UNREAD_RETENTION_DAYS);
-
-  const enriched = await Promise.all(
-    channels.map(async (channel, index) => {
-      const unreadCount = await itemsCollection.countDocuments({
-        channelId: channel._id,
-        readBy: { $ne: userId },
-        published: { $gte: cutoffDate },
-        _stripped: { $ne: true },
-      });
-
-      return {
-        ...channel,
-        color: channel.color || getChannelColor(index),
-        unread: unreadCount > 0 ? unreadCount : false,
-      };
-    }),
-  );
+  // Single aggregation query for all channel unread counts
+  const channelIds = channels.map((c) => c._id);
+  const unreadMap = await getUnreadCounts(itemsCollection, channelIds, userId);
+
+  const enriched = channels.map((channel, index) => {
+    const unreadCount = unreadMap.get(channel._id.toString()) || 0;
+    return {
+      ...channel,
+      color: channel.color || getChannelColor(index),
+      unread: unreadCount > 0 ? unreadCount : false,
+    };
+  });
 
   // Notifications first, then by order
   const notifications = enriched.find((c) => c.uid === "notifications");

package/lib/storage/feeds.js

@@ -249,7 +249,7 @@ export async function deleteFeedsForChannel(application, channelId) {
  * @param {object} application - Indiekit application
  * @returns {Promise<Array>} Array of feeds to fetch
  */
-export async function getFeedsToFetch(application) {
+export async function getFeedsToFetch(application, limit = 25) {
   const collection = getCollection(application);
   const now = new Date();
 
@@ -257,6 +257,8 @@ export async function getFeedsToFetch(application) {
     .find({
       $or: [{ nextFetchAt: undefined }, { nextFetchAt: { $lte: now } }],
     })
+    .sort({ nextFetchAt: 1 })
+    .limit(limit)
     .toArray();
 }
 

package/lib/storage/items.js

@@ -55,12 +55,6 @@ function getCollection(application) {
 export async function addItem(application, { channelId, feedId, uid, item }) {
   const collection = getCollection(application);
 
-  // Check for duplicate
-  const existing = await collection.findOne({ channelId, uid });
-  if (existing) {
-    return; // Duplicate, don't add
-  }
-
   const document = {
     channelId,
     feedId,
@@ -86,8 +80,14 @@ export async function addItem(application, { channelId, feedId, uid, item }) {
     createdAt: new Date().toISOString(),
   };
 
-  await collection.insertOne(document);
-  return document;
+  try {
+    await collection.insertOne(document);
+    return document;
+  } catch (error) {
+    // Duplicate key error (unique index on channelId + uid) — expected for dedup
+    if (error.code === 11000) return;
+    throw error;
+  }
 }
 
 /**
@@ -841,8 +841,7 @@ export async function deleteItemsForFeed(application, feedId) {
   return result.deletedCount;
 }
 
-// Retention period for unread count (only count recent items)
-const UNREAD_RETENTION_DAYS = 30;
+import { UNREAD_RETENTION_DAYS } from "../utils/constants.js";
 
 /**
  * Get unread count for a channel
@@ -881,24 +880,13 @@ export async function searchItems(application, channelId, query, limit = 20) {
   const objectId =
     typeof channelId === "string" ? new ObjectId(channelId) : channelId;
 
-  // Use regex search (consider adding text index for better performance)
-  const escapedQuery = query.replaceAll(
-    /[$()*+.?[\\\]^{|}]/g,
-    String.raw`\$&`,
-  );
-  const regex = new RegExp(escapedQuery, "i");
+  // Use MongoDB text index for efficient full-text search
   const items = await collection
     .find({
       channelId: objectId,
-      $or: [
-        { name: regex },
-        { "content.text": regex },
-        { "content.html": regex },
-        { summary: regex },
-      ],
+      $text: { $search: query },
     })
-    // eslint-disable-next-line unicorn/no-array-sort -- MongoDB cursor method, not Array#sort
-    .sort({ published: -1 })
+    .sort({ score: { $meta: "textScore" } })
     .limit(limit)
     .toArray();
 
@@ -945,6 +933,12 @@ export async function createIndexes(application) {
   // URL matching index for mark_read operations
   await collection.createIndex({ channelId: 1, url: 1 });
 
+  // Compound index for unread count aggregation (P7)
+  await collection.createIndex({ channelId: 1, _stripped: 1, published: -1 });
+
+  // Cross-channel timeline query index (P12)
+  await collection.createIndex({ _stripped: 1, published: -1 });
+
   // Full-text search index with weights
   // Higher weight = more importance in relevance scoring
   await collection.createIndex(

package/lib/utils/constants.js

@@ -0,0 +1,7 @@
+/**
+ * Shared constants used across multiple modules
+ * @module utils/constants
+ */
+
+/** Retention period for unread count queries (only count recent items) */
+export const UNREAD_RETENTION_DAYS = 30;

package/lib/utils/csrf.js

@@ -0,0 +1,51 @@
+/**
+ * CSRF protection middleware for reader UI
+ * Uses session-based tokens (not cookies)
+ * @module utils/csrf
+ */
+
+import crypto from "node:crypto";
+
+/**
+ * Generate or retrieve CSRF token from session.
+ * Exposes token as `response.locals.csrfToken` for templates.
+ *
+ * @param {object} request - Express request
+ * @param {object} response - Express response
+ * @param {Function} next - Express next
+ */
+export function csrfToken(request, response, next) {
+  if (request.session) {
+    if (!request.session.csrfToken) {
+      request.session.csrfToken = crypto.randomUUID();
+    }
+    response.locals.csrfToken = request.session.csrfToken;
+  }
+  next();
+}
+
+/**
+ * Validate CSRF token on POST requests.
+ * Checks `_csrf` field in body or `x-csrf-token` header.
+ *
+ * @param {object} request - Express request
+ * @param {object} response - Express response
+ * @param {Function} next - Express next
+ */
+export function csrfValidate(request, response, next) {
+  if (request.method !== "POST") return next();
+
+  const sessionToken = request.session?.csrfToken;
+  if (!sessionToken) {
+    return response.status(403).send("CSRF token missing from session");
+  }
+
+  const submittedToken =
+    request.body?._csrf || request.headers["x-csrf-token"];
+
+  if (!submittedToken || submittedToken !== sessionToken) {
+    return response.status(403).send("CSRF token invalid");
+  }
+
+  next();
+}

package/lib/utils/sanitize.js

@@ -0,0 +1,61 @@
+/**
+ * Shared HTML sanitization configuration
+ * Used by both RSS/Atom normalizer and ActivityPub outbox fetcher
+ * @module utils/sanitize
+ */
+
+/**
+ * Allowed HTML tags and attributes for sanitize-html
+ */
+export const SANITIZE_OPTIONS = {
+  allowedTags: [
+    "a",
+    "abbr",
+    "b",
+    "blockquote",
+    "br",
+    "code",
+    "em",
+    "figcaption",
+    "figure",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "hr",
+    "i",
+    "img",
+    "li",
+    "ol",
+    "p",
+    "pre",
+    "s",
+    "span",
+    "strike",
+    "strong",
+    "sub",
+    "sup",
+    "table",
+    "tbody",
+    "td",
+    "th",
+    "thead",
+    "tr",
+    "u",
+    "ul",
+    "video",
+    "audio",
+    "source",
+  ],
+  allowedAttributes: {
+    a: ["href", "title", "rel"],
+    img: ["src", "alt", "title", "width", "height"],
+    video: ["src", "poster", "controls", "width", "height"],
+    audio: ["src", "controls"],
+    source: ["src", "type"],
+    "*": ["class"],
+  },
+  allowedSchemes: ["http", "https", "mailto"],
+};

package/lib/utils/validation.js

@@ -4,6 +4,7 @@
  */
 
 import { IndiekitError } from "@indiekit/error";
+import safeRegex from "safe-regex2";
 
 /**
  * Valid Microsub actions
@@ -30,7 +31,7 @@ export const VALID_CHANNEL_METHODS = ["delete", "order"];
 /**
  * Valid timeline methods
  */
-export const VALID_TIMELINE_METHODS = ["mark_read", "mark_unread", "remove"];
+export const VALID_TIMELINE_METHODS = ["mark_read", "mark_read_source", "mark_unread", "remove"];
 
 /**
  * Valid exclude types for channel filtering
@@ -173,7 +174,12 @@ export function validateExcludeRegex(pattern) {
   }
 
   try {
-    new RegExp(pattern);
+    const regex = new RegExp(pattern);
+    // Reject patterns vulnerable to catastrophic backtracking (ReDoS)
+    if (!safeRegex(regex)) {
+      console.warn(`[Microsub] Rejected unsafe regex pattern: ${pattern}`);
+      return;
+    }
     return pattern;
   } catch {
     return;

package/lib/webmention/verifier.js

@@ -6,27 +6,8 @@
 import { mf2 } from "microformats-parser";
 import sanitizeHtml from "sanitize-html";
 
-/**
- * Sanitize HTML options (matches normalizer.js)
- */
-const SANITIZE_OPTIONS = {
-  allowedTags: [
-    "a", "abbr", "b", "blockquote", "br", "code", "em", "figcaption",
-    "figure", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img",
-    "li", "ol", "p", "pre", "s", "span", "strike", "strong", "sub",
-    "sup", "table", "tbody", "td", "th", "thead", "tr", "u", "ul",
-    "video", "audio", "source",
-  ],
-  allowedAttributes: {
-    a: ["href", "title", "rel"],
-    img: ["src", "alt", "title", "width", "height"],
-    video: ["src", "poster", "controls", "width", "height"],
-    audio: ["src", "controls"],
-    source: ["src", "type"],
-    "*": ["class"],
-  },
-  allowedSchemes: ["http", "https", "mailto"],
-};
+import { isPrivateUrl } from "../media/proxy.js";
+import { SANITIZE_OPTIONS } from "../utils/sanitize.js";
 
 /**
  * Verify a webmention
@@ -36,6 +17,14 @@ const SANITIZE_OPTIONS = {
  */
 export async function verifyWebmention(source, target) {
   try {
+    // SSRF protection — block private/internal IPs (highest risk: unauthenticated endpoint)
+    if (await isPrivateUrl(source)) {
+      return {
+        verified: false,
+        error: "Source URL blocked (private/internal address)",
+      };
+    }
+
     // Fetch the source URL
     const response = await fetch(source, {
       headers: {

package/lib/websub/subscriber.js

@@ -5,6 +5,7 @@
 
 import crypto from "node:crypto";
 
+import { isPrivateUrl } from "../media/proxy.js";
 import { updateFeedWebsub } from "../storage/feeds.js";
 
 const DEFAULT_LEASE_SECONDS = 86_400 * 7; // 7 days
@@ -24,6 +25,12 @@ export async function subscribe(application, feed, callbackUrl) {
   const topic = feed.websub.topic || feed.url;
   const secret = generateSecret();
 
+  // SSRF protection — hub URL comes from untrusted feed content
+  if (await isPrivateUrl(feed.websub.hub)) {
+    console.warn(`[Microsub] WebSub blocked private hub URL: ${feed.websub.hub}`);
+    return false;
+  }
+
   try {
     const response = await fetch(feed.websub.hub, {
       method: "POST",
@@ -137,6 +144,11 @@ export function verifySignature(signature, body, secret) {
   // Normalize algorithm name
   const algo = algorithm.toLowerCase().replace("sha", "sha");
 
+  // Warn about deprecated SHA-1 (accepted for compatibility, but SHA-256 preferred)
+  if (algo === "sha1") {
+    console.warn("[Microsub] WebSub: hub using deprecated SHA-1 signature (SHA-256 preferred)");
+  }
+
   try {
     const expectedHash = crypto
       .createHmac(algo, secret)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-microsub",
-  "version": "1.0.54",
+  "version": "1.0.56",
   "description": "Microsub endpoint for Indiekit. Enables subscribing to feeds and reading content using the Microsub protocol.",
   "keywords": [
     "indiekit",
@@ -46,6 +46,8 @@
     "ioredis": "^5.3.0",
     "luxon": "^3.4.0",
     "microformats-parser": "^2.0.0",
+    "express-rate-limit": "^7.0.0",
+    "safe-regex2": "^4.0.0",
     "sanitize-html": "^2.11.0"
   },
   "publishConfig": {

package/views/actor.njk

@@ -46,6 +46,7 @@
         {% if canFollow %}
           {% if isFollowing %}
           <form action="{{ baseUrl }}/actor/unfollow" method="POST" style="display: inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <input type="hidden" name="actorUrl" value="{{ actorUrl }}">
             <button type="submit" class="button button--secondary button--small">
               {{ icon("tick") }} Following
@@ -53,6 +54,7 @@
           </form>
           {% else %}
           <form action="{{ baseUrl }}/actor/follow" method="POST" style="display: inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <input type="hidden" name="actorUrl" value="{{ actorUrl }}">
             <input type="hidden" name="actorName" value="{{ actor.name }}">
             <button type="submit" class="button button--primary button--small">

package/views/channel-new.njk

@@ -9,6 +9,7 @@
     <h2>{{ __("microsub.channels.new") }}</h2>
 
     <form method="post" action="{{ baseUrl }}/channels/new">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       {{ input({
         id: "name",
         name: "name",

package/views/channel.njk

@@ -7,6 +7,7 @@
       <div class="ms-channel__actions">
         {% if not showRead and items.length > 0 %}
         <form action="{{ baseUrl }}/api/mark-read" method="POST" style="display: inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
           <input type="hidden" name="channel" value="{{ channel.uid }}">
           <input type="hidden" name="entry" value="last-read-entry">
           <button type="submit" class="button button--secondary button--small">
@@ -40,6 +41,7 @@
 
     {% if items.length > 0 %}
     <form method="POST" action="{{ baseUrl }}/api/mark-view-read" id="mark-view-form">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       <input type="hidden" name="channel" value="{{ channel.uid }}">
       {% for item in items %}
         {% if not item._is_read %}
@@ -95,6 +97,9 @@
   </div>
 
   <script type="module">
+    // CSRF token for AJAX requests
+    const csrfToken = document.querySelector('meta[name="csrf-token"]')?.content || '';
+
     // Keyboard navigation (j/k for items, o to open)
     const timeline = document.getElementById('timeline');
     if (timeline) {
@@ -164,6 +169,7 @@
             method: 'POST',
             headers: {
               'Content-Type': 'application/x-www-form-urlencoded',
+              'X-CSRF-Token': csrfToken,
             },
             body: formData.toString(),
             credentials: 'same-origin'
@@ -233,7 +239,7 @@
 
           const response = await fetch(microsubApiUrl, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-CSRF-Token': csrfToken },
             body: formData.toString(),
             credentials: 'same-origin'
           });
@@ -289,7 +295,7 @@
         try {
           const response = await fetch('/readlater/save', {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken },
             body: JSON.stringify({ url, title: title || url, source: 'microsub' }),
             credentials: 'same-origin'
           });
@@ -406,7 +412,7 @@
         try {
           const response = await fetch(markViewApiUrl, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-CSRF-Token': csrfToken },
             body: formData.toString(),
             credentials: 'same-origin'
           });

package/views/compose.njk

@@ -45,6 +45,7 @@
     {% endif %}
 
     <form method="post" action="{{ baseUrl }}/compose">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       {% if replyTo %}
       <input type="hidden" name="in-reply-to" value="{{ replyTo }}">
       {% endif %}

package/views/deck-settings.njk

@@ -10,6 +10,7 @@
     </header>
 
     <form action="{{ baseUrl }}/deck/settings" method="POST">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       <p>Select which channels appear as columns in your deck, and their order.</p>
 
       <div class="ms-deck-settings__channels">

package/views/feed-edit.njk

@@ -35,6 +35,7 @@
       </div>
 
       <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds/{{ feed._id }}/edit" class="ms-feed-edit__form">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
         {{ input({
           id: "url",
           name: "url",
@@ -64,6 +65,7 @@
         <h3>Other Actions</h3>
 
         <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds/{{ feed._id }}/rediscover" class="ms-feed-edit__action">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
           <p>Run feed discovery on the current URL to find the actual RSS/Atom feed.</p>
           {{ button({
             text: "Rediscover Feed",
@@ -72,6 +74,7 @@
         </form>
 
         <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds/{{ feed._id }}/refresh" class="ms-feed-edit__action">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
           <p>Force refresh this feed now.</p>
           {{ button({
             text: "Refresh Now",

package/views/feeds.njk

@@ -62,16 +62,19 @@
             {{ icon("updatePost") }}
           </a>
           <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds/{{ feed._id }}/rediscover" style="display:inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <button type="submit" class="button button--secondary button--small" title="Rediscover feed">
               {{ icon("syndicate") }}
             </button>
           </form>
           <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds/{{ feed._id }}/refresh" style="display:inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <button type="submit" class="button button--secondary button--small" title="Refresh now">
               {{ icon("repost") }}
             </button>
           </form>
           <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds/remove" style="display:inline;">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <input type="hidden" name="url" value="{{ feed.url }}">
             <button type="submit" class="button button--warning button--small" title="Unfollow">
               {{ icon("delete") }}
@@ -91,6 +94,7 @@
     <div class="ms-feeds__add">
       <h3>{{ __("microsub.feeds.follow") }}</h3>
       <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/feeds" class="ms-feeds__form">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
         {{ input({
           id: "url",
           name: "url",

package/views/layouts/reader.njk

@@ -6,6 +6,7 @@
 
 {% block content %}
 <link rel="stylesheet" href="/assets/@rmdes-indiekit-endpoint-microsub/styles.css">
+<meta name="csrf-token" content="{{ csrfToken }}">
 {% include "partials/breadcrumbs.njk" %}
 {% include "partials/view-switcher.njk" %}
 {% block reader %}{% endblock %}

package/views/search.njk

@@ -9,6 +9,7 @@
     <h2>{{ __("microsub.search.title") }}</h2>
 
     <form method="post" action="{{ baseUrl }}/search" class="ms-search__form">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       {{ input({
         id: "query",
         name: "query",
@@ -60,6 +61,7 @@
           </div>
           {% if result.valid %}
           <form method="post" action="{{ baseUrl }}/subscribe" class="ms-search__subscribe">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
             <input type="hidden" name="url" value="{{ result.url }}">
             <label for="channel-{{ loop.index }}" class="-!-visually-hidden">{{ __("microsub.channels.title") }}</label>
             <select name="channel" id="channel-{{ loop.index }}" class="select select--small">

package/views/settings.njk

@@ -9,6 +9,7 @@
     <h2>{{ __("microsub.settings.title", { channel: channel.name }) }}</h2>
 
     <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/settings">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
       {{ checkboxes({
         name: "excludeTypes",
         values: channel.settings.excludeTypes,
@@ -64,6 +65,7 @@
       <h3>{{ __("microsub.settings.dangerZone") }}</h3>
       <p class="hint">{{ __("microsub.settings.deleteWarning") }}</p>
       <form method="post" action="{{ baseUrl }}/channels/{{ channel.uid }}/delete" onsubmit="return confirm('{{ __("microsub.settings.deleteConfirm") }}');">
+      <input type="hidden" name="_csrf" value="{{ csrfToken }}">
         {{ button({
           text: __("microsub.settings.delete"),
           classes: "button--danger"