refactor: use user-token for historyDelete too

Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.

Signed-off-by: Philip Molares <philip.molares@udo.edu>

public/docs/release-notes.md

@@ -8,6 +8,7 @@
 - Allow links to protocols such as xmpp, webcal or geo
 - Switch from deprecated shortid to nanoid module, with 10 character long aliases in "public" links
 - Ensure compatibility with Node 24
+- Protect user history from accidental or malicious deletion by adding a CSRF-like token
 
 ### Bugfixes
 - Ignore the healthcheck endpoint in the "too busy" limiter

public/js/history.js

@@ -295,7 +295,7 @@ export function postHistoryToServer (noteId, data, callback) {
 
 export function deleteServerHistory (noteId, callback) {
   $.ajax({
-    url: `${serverurl}/history${noteId ? '/' + noteId : ''}`,
+    url: `${serverurl}/history${noteId ? '/' + noteId : ''}?token=${window.userToken}`,
     type: 'DELETE'
   })
     .done(result => callback(null, result))

public/js/lib/common/constant.ejs

@@ -11,3 +11,4 @@ window.linkifyHeaderStyle = '<%- linkifyHeaderStyle %>'
 window.DROPBOX_APP_KEY = '<%- DROPBOX_APP_KEY %>'
 
 window.cookiePolicy = '<%- cookiePolicy %>'
+window.userToken = '<%- userToken %>'