finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Refactor CSRF protector (#32057) (fix forgejo tests)

Browse source 
Fix the tests unique to Forgejo that are impacted by the refactor.
This commit is contained in:
Earl Warren 2024-09-22 12:57:03 +02:00
parent 1ae3b127fc
commit 6275d1bc50
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 59 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

7
services/context/csrf.go
View file

@ -30,8 +30,9 @@ import (
)
const (
CsrfHeaderName = "X-Csrf-Token"
CsrfFormName = "_csrf"
CsrfHeaderName = "X-Csrf-Token"
CsrfFormName = "_csrf"
CsrfErrorString = "Invalid CSRF token."
)
// CSRFProtector represents a CSRF protector and is used to get the current token and validate the token.
@ -144,7 +145,7 @@ func (c *csrfProtector) validateToken(ctx *Context, token string) {
c.DeleteCookie(ctx)
// currently, there should be no access to the APIPath with CSRF token. because templates shouldn't use the `/api/` endpoints.
// FIXME: distinguish what the response is for: HTML (web page) or JSON (fetch)
http.Error(ctx.Resp, "Invalid CSRF token.", http.StatusBadRequest)
http.Error(ctx.Resp, CsrfErrorString, http.StatusBadRequest)
}
}