From 2bcc934eb44ae569d58a145d25814c9023853895 Mon Sep 17 00:00:00 2001
From: Thibaut Patel <thibaut@ghost.org>
Date: Tue, 18 May 2021 20:44:13 +0200
Subject: [PATCH] Disable CSRF on the oauth callback route

no issue

Keeping CSRF enabled there would prevent oauth from working as users are redirected from the provider domain to the /callback route, where they are logged-in
---
 core/server/web/oauth/app.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/core/server/web/oauth/app.js b/core/server/web/oauth/app.js
index 1d3492ed5f..ae876f7ad9 100644
--- a/core/server/web/oauth/app.js
+++ b/core/server/web/oauth/app.js
@@ -127,7 +127,12 @@ module.exports = function setupOAuthApp() {
         res.sendStatus(404);
     });
 
-    oauthApp.get('/:provider/callback', auth.authenticate.authenticateAdminApi, (req, res, next) => {
+    oauthApp.get('/:provider/callback', (req, res, next) => {
+        // Bypass CSRF protection to authenticate users as they are redirected from
+        // Google OAuth consent screen
+        res.locals.bypassCsrfProtection = true;
+        next();
+    }, auth.authenticate.authenticateAdminApi, (req, res, next) => {
         if (req.params.provider !== 'google') {
             return res.sendStatus(404);
         }