esoko/rvr-nextgen
esoko/rvr-nextgen
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Merge pull request 'RVRNEXT-2 disable anti csrf check in case of oauth token' (!8) from feature/RVRNEXT-2-disable-anti-csrf-check-for-oauth-token into master
All checks were successful
rvr-nextgen/pipeline/head This commit looks good
Details

Browse Source 
Reviewed-on: #8
This commit is contained in:
Bence Pőcze 2023-04-08 20:03:20 +02:00 committed by Gitea
commit 845f1fe262
Signed by: Gitea
GPG Key ID: 7B89B83EED9AD2C6
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/index.php
View File

@ -35,7 +35,7 @@ if ($match !== null) {
return;
}
if ($method === 'post' && Container::$request->post('anti_csrf_token') !== Container::$request->session()->get('anti_csrf_token')) {
if ($method === 'post' && !in_array($url, $antiCsrfTokenExceptions) && Container::$request->post('anti_csrf_token') !== Container::$request->session()->get('anti_csrf_token')) {
$content = new SokoWeb\Response\JsonContent(['error' => 'no_valid_anti_csrf_token']);
header('Content-Type: text/html; charset=UTF-8', true, 403);
$content->render();

3
web.php
View File

@ -78,3 +78,6 @@ Container::$request = new SokoWeb\Request\Request(
if (!Container::$request->session()->has('anti_csrf_token')) {
Container::$request->session()->set('anti_csrf_token', bin2hex(random_bytes(16)));
}
//TODO: make a nicer logic
$antiCsrfTokenExceptions = ['oauth/token'];