TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-09-21 18:08:51 +03:00
Code Issues Projects Releases Wiki Activity

Removed ssoOriginCheck from signout endpoint (#10277)

Browse Source 
no-issue

the ssoOriginCheck exists to ensure that we only allow signin/signup to
be called from the specified auth page, this is a very minor security
feature in that it forces signins to go via the page you've designated.
signout however does not need this protection as the call to signout
completely bypasses any UI (this is the same for the call to /token)
This commit is contained in:
Fabien O'Carroll 2018-12-14 13:56:31 +07:00
parent b219e26ea6
commit 99aeda5909
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ghost/members-api/index.js
View File

@ -140,7 +140,7 @@ module.exports = function MembersApi({
}).catch(handleError(401, res)); }).catch(handleError(401, res));
}); });
apiRouter.post('/signout', getData(), ssoOriginCheck, (req, res) => { apiRouter.post('/signout', getData(), (req, res) => {
res.writeHead(200, { res.writeHead(200, {
'Set-Cookie': removeCookie() 'Set-Cookie': removeCookie()
}); });