TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-03 08:25:06 +03:00
Code Issues Projects Releases Wiki Activity

Disable CSRF on the oauth callback route

Browse Source 
no issue

Keeping CSRF enabled there would prevent oauth from working as users are redirected from the provider domain to the /callback route, where they are logged-in
This commit is contained in:
Thibaut Patel 2021-05-18 20:44:13 +02:00
parent 2e8db93ab6
commit 2bcc934eb4
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
core/server/web/oauth/app.js
View File

@ -127,7 +127,12 @@ module.exports = function setupOAuthApp() {
res.sendStatus(404);
});
oauthApp.get('/:provider/callback', auth.authenticate.authenticateAdminApi, (req, res, next) => {
oauthApp.get('/:provider/callback', (req, res, next) => {
// Bypass CSRF protection to authenticate users as they are redirected from
// Google OAuth consent screen
res.locals.bypassCsrfProtection = true;
next();
}, auth.authenticate.authenticateAdminApi, (req, res, next) => {
if (req.params.provider !== 'google') {
return res.sendStatus(404);
}