Merge pull request 'RVRNEXT-2 disable anti csrf check in case of oauth token' (!8 ) from feature/RVRNEXT-2-disable-anti-csrf-check-for-oauth-token into master

Reviewed-on: #8
RVRNEXT-2 disable anti csrf check in case of oauth token
2023-04-08 20:03:20 +02:00 · 2023-04-08 20:02:02 +02:00
2 changed files with 4 additions and 1 deletions
--- a/public/index.php
+++ b/public/index.php
@ -35,7 +35,7 @@ if ($match !== null) {
        return;
    }

-    if ($method === 'post' && Container::$request->post('anti_csrf_token') !== Container::$request->session()->get('anti_csrf_token')) {
+    if ($method === 'post' && !in_array($url, $antiCsrfTokenExceptions) && Container::$request->post('anti_csrf_token') !== Container::$request->session()->get('anti_csrf_token')) {
        $content = new SokoWeb\Response\JsonContent(['error' => 'no_valid_anti_csrf_token']);
        header('Content-Type: text/html; charset=UTF-8', true, 403);
        $content->render();
--- a/web.php
+++ b/web.php
@ -78,3 +78,6 @@ Container::$request = new SokoWeb\Request\Request(
 if (!Container::$request->session()->has('anti_csrf_token')) {
    Container::$request->session()->set('anti_csrf_token', bin2hex(random_bytes(16)));
 }
+
+//TODO: make a nicer logic
+$antiCsrfTokenExceptions = ['oauth/token'];
Author	SHA1	Message	Date
Bence Pőcze	845f1fe262	Merge pull request 'RVRNEXT-2 disable anti csrf check in case of oauth token' (!8 ) from feature/RVRNEXT-2-disable-anti-csrf-check-for-oauth-token into master All checks were successful rvr-nextgen/pipeline/head This commit looks good Details Reviewed-on: #8	2023-04-08 20:03:20 +02:00
Pőcze Bence	bc9f1a1d1f	RVRNEXT-2 disable anti csrf check in case of oauth token All checks were successful rvr-nextgen/pipeline/pr-master This commit looks good Details	2023-04-08 20:02:02 +02:00