Skip to content

Commit a91a992

Browse files
EmyrkEmyrk
committed
Exempt external auth requets
1 parent 420684f commit a91a992

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

coderd/httpmw/csrf.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,8 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
1919
mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
2020
http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
2121
}))
22-
2322
// Exempt all requests that do not require CSRF protection.
24-
// All GET requests are exempt by default.
23+
// All GET requests are exempt by default and no not need to be added here.
2524
mw.ExemptPath("/api/v2/csp/reports")
2625

2726
// Top level agent routes.
@@ -30,6 +29,9 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
3029
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/me/*"))
3130
// Derp routes
3231
mw.ExemptRegexp(regexp.MustCompile("derp/*"))
32+
// Some extra non-auth
33+
mw.ExemptRegexp(regexp.MustCompile("/externa-auth/*"))
34+
mw.ExemptRegexp(regexp.MustCompile("/github/*"))
3335

3436
mw.ExemptFunc(func(r *http.Request) bool {
3537
// CSRF only affects requests that automatically attach credentials via a cookie.

0 commit comments

Comments
 (0)