# `PhoenixDatastar.Plugs.RenameCsrfParam`
[🔗](https://github.com/RicoTrevisan/phoenix_datastar/blob/v0.2.0/lib/plugs/rename_csrf_param.ex#L1)

Renames a CSRF body param to `_csrf_token` so that `Plug.CSRFProtection`
can find it.

## Why this exists

Datastar treats signals whose names start with `_` as **client-only** —
they are never sent to the server in the request body. The conventional
CSRF signal (`_csrf-token` / `$_csrfToken`) is therefore delivered as an
`x-csrf-token` **header**, which works for PhoenixDatastar SSE routes.

However, regular Phoenix form POSTs (e.g. sign-in, settings) still go
through `Plug.CSRFProtection`, which looks for the token in
`conn.body_params["_csrf_token"]`. Because the `_`-prefixed signal is
never included in the body, those requests would fail with a 403.

The workaround is to send the token as a **non-prefixed** signal (default
`csrf`) so it *is* included in the request body. This plug then copies
that param into `_csrf_token` in `body_params` before
`Plug.CSRFProtection` runs.

## Usage

    # In your Phoenix router (before :protect_from_forgery):
    plug PhoenixDatastar.Plugs.RenameCsrfParam

    # With a custom source param name:
    plug PhoenixDatastar.Plugs.RenameCsrfParam, from: "my_token"

## Options

- `:from` — Source param name to copy from. Default: `"csrf"`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*