From bc9f1a1d1fcb9b9f4db2d6bf2f73c6cd3ca33a81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=91cze=20Bence?= <bence@pocze.ch>
Date: Sat, 8 Apr 2023 20:02:02 +0200
Subject: [PATCH] RVRNEXT-2 disable anti csrf check in case of oauth token

---
 public/index.php | 2 +-
 web.php          | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/public/index.php b/public/index.php
index ddca47a..e6c1b6a 100644
--- a/public/index.php
+++ b/public/index.php
@@ -35,7 +35,7 @@ if ($match !== null) {
         return;
     }
 
-    if ($method === 'post' && Container::$request->post('anti_csrf_token') !== Container::$request->session()->get('anti_csrf_token')) {
+    if ($method === 'post' && !in_array($url, $antiCsrfTokenExceptions) && Container::$request->post('anti_csrf_token') !== Container::$request->session()->get('anti_csrf_token')) {
         $content = new SokoWeb\Response\JsonContent(['error' => 'no_valid_anti_csrf_token']);
         header('Content-Type: text/html; charset=UTF-8', true, 403);
         $content->render();
diff --git a/web.php b/web.php
index 4de9e66..45b9028 100644
--- a/web.php
+++ b/web.php
@@ -78,3 +78,6 @@ Container::$request = new SokoWeb\Request\Request(
 if (!Container::$request->session()->has('anti_csrf_token')) {
     Container::$request->session()->set('anti_csrf_token', bin2hex(random_bytes(16)));
 }
+
+//TODO: make a nicer logic
+$antiCsrfTokenExceptions = ['oauth/token'];