Removed ssoOriginCheck from signout endpoint (#10277)

no-issue

the ssoOriginCheck exists to ensure that we only allow signin/signup to
be called from the specified auth page, this is a very minor security
feature in that it forces signins to go via the page you've designated.
signout however does not need this protection as the call to signout
completely bypasses any UI (this is the same for the call to /token)
This commit is contained in:
Fabien O'Carroll 2018-12-14 13:56:31 +07:00
parent b219e26ea6
commit 99aeda5909

View File

@ -140,7 +140,7 @@ module.exports = function MembersApi({
}).catch(handleError(401, res));
});
apiRouter.post('/signout', getData(), ssoOriginCheck, (req, res) => {
apiRouter.post('/signout', getData(), (req, res) => {
res.writeHead(200, {
'Set-Cookie': removeCookie()
});