jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Remove csurf

Browse Source 
New views will be using the REST api not session, so this won't apply
This commit is contained in:
Johannes Zellner
2020-02-05 12:49:35 +01:00
parent 6a92af3db3
commit d3c7616120
9 changed files with 48 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/server.js
+4 -7
View File
@@ -128,9 +128,6 @@ function initializeExpressSync() {
const verifyDomainLock = routes.domains.verifyDomainLock;
// csrf protection
var csrf = routes.oauth2.csrf();
// public routes
router.post('/api/v1/cloudron/setup', routes.provision.providerTokenAuth, routes.provision.setup); // only available until no-domain
router.post('/api/v1/cloudron/restore', routes.provision.restore); // only available until activated
@@ -223,12 +220,12 @@ function initializeExpressSync() {
router.del ('/api/v1/groups/:groupId', usersManageScope, routes.groups.remove);
// form based login routes used by oauth2 frame
router.get ('/api/v1/session/login', csrf, routes.oauth2.loginForm);
router.post('/api/v1/session/login', csrf, routes.oauth2.login);
router.get ('/api/v1/session/login', routes.oauth2.loginForm);
router.post('/api/v1/session/login', routes.oauth2.login);
router.get ('/api/v1/session/logout', routes.oauth2.logout);
router.get ('/api/v1/session/callback', routes.oauth2.sessionCallback());
router.get ('/api/v1/session/account/setup.html', csrf, routes.oauth2.accountSetupSite);
router.post('/api/v1/session/account/setup', csrf, routes.oauth2.accountSetup);
router.get ('/api/v1/session/account/setup.html', routes.oauth2.accountSetupSite);
router.post('/api/v1/session/account/setup', routes.oauth2.accountSetup);
// oauth2 routes
router.get ('/api/v1/oauth/dialog/authorize', routes.oauth2.authorization());