Removed ssoOriginCheck from signout endpoint (#10277)

no-issue the ssoOriginCheck exists to ensure that we only allow signin/signup to be called from the specified auth page, this is a very minor security feature in that it forces signins to go via the page you've designated. signout however does not need this protection as the call to signout completely bypasses any UI (this is the same for the call to /token)
2024-11-23 22:11:09 +03:00 · 2018-12-14 13:56:31 +07:00 · 2018-12-14 13:56:31 +07:00 · 99aeda5909
commit 99aeda5909
parent b219e26ea6
1 changed files with 1 additions and 1 deletions
--- a/ghost/members-api/index.js
+++ b/ghost/members-api/index.js
@ -140,7 +140,7 @@ module.exports = function MembersApi({
        }).catch(handleError(401, res));
    });

-    apiRouter.post('/signout', getData(), ssoOriginCheck, (req, res) => {
+    apiRouter.post('/signout', getData(), (req, res) => {
        res.writeHead(200, {
            'Set-Cookie': removeCookie()
        });