Skip to content

Commit 9f6e312

Browse files
author
Fiona McCrae
committed
security.py change allowing CSRF protections to be bypassed if the session is authentication exempt. This may need more security refinement
1 parent 06d95f9 commit 9f6e312

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

app/api/v2/security.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,13 +91,19 @@ async def csrf_protect_middleware(request, handler):
9191
# If API key auth is present, skip CSRF checks
9292
if request.headers.get('KEY'):
9393
return await handler(request)
94+
95+
# If the endpoint handler is explicitly decorated as authentication-exempt,
96+
# allow it to proceed without CSRF validation. This covers endpoints like
97+
# login which must be callable before a session and CSRF token exist.
98+
if is_handler_authentication_exempt(handler):
99+
return await handler(request)
94100

95101
# For session-authenticated requests, validate token
96102
try:
97103
session = await get_session(request)
98104
token = session.get('csrf_token') if session is not None else None
99105
header = request.headers.get('X-CSRF-Token') or request.headers.get('X-XSRF-TOKEN')
100-
# check if there is a token, the header is missing, and whether the token and header
106+
# check if there is a token, the header is missing, and whether the token and header
101107
# hash authentication works
102108
if not token or not header or not compare_digest(header, token):
103109
raise HTTPForbidden(text='Missing or invalid CSRF token')

0 commit comments

Comments
 (0)