diff options
Diffstat (limited to 'internal/auth')
| -rw-r--r-- | internal/auth/middleware.go | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go index ecdde82..78f3b53 100644 --- a/internal/auth/middleware.go +++ b/internal/auth/middleware.go @@ -6,6 +6,7 @@ import ( "crypto/subtle" "encoding/base64" "net/http" + "strings" "github.com/alexedwards/scs/v2" ) @@ -63,6 +64,12 @@ func (m *Middleware) ClearSession(r *http.Request) error { // CSRFProtect checks for a valid CSRF token on state-changing requests func (m *Middleware) CSRFProtect(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Skip CSRF for agent API endpoints (they use token-based auth, not cookies) + if strings.HasPrefix(r.URL.Path, "/agent/") { + next.ServeHTTP(w, r) + return + } + // Ensure a token exists in the session if !m.sessions.Exists(r.Context(), SessionKeyCSRF) { token, err := generateToken() @@ -78,7 +85,7 @@ func (m *Middleware) CSRFProtect(next http.Handler) http.Handler { // Check token for state-changing methods if r.Method == "POST" || r.Method == "PUT" || r.Method == "DELETE" || r.Method == "PATCH" { requestToken := r.Header.Get("X-CSRF-Token") - + if requestToken == "" { requestToken = r.FormValue("csrf_token") } |