From 99aeda59099bb9310d91f82b8e2c3e4b19cd9986 Mon Sep 17 00:00:00 2001
From: Fabien O'Carroll <fabien@allou.is>
Date: Fri, 14 Dec 2018 13:56:31 +0700
Subject: [PATCH] Removed ssoOriginCheck from signout endpoint (#10277)

no-issue

the ssoOriginCheck exists to ensure that we only allow signin/signup to
be called from the specified auth page, this is a very minor security
feature in that it forces signins to go via the page you've designated.
signout however does not need this protection as the call to signout
completely bypasses any UI (this is the same for the call to /token)
---
 ghost/members-api/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ghost/members-api/index.js b/ghost/members-api/index.js
index 486e428ddd..314e83a51e 100644
--- a/ghost/members-api/index.js
+++ b/ghost/members-api/index.js
@@ -140,7 +140,7 @@ module.exports = function MembersApi({
         }).catch(handleError(401, res));
     });
 
-    apiRouter.post('/signout', getData(), ssoOriginCheck, (req, res) => {
+    apiRouter.post('/signout', getData(), (req, res) => {
         res.writeHead(200, {
             'Set-Cookie': removeCookie()
         });