Skip to content

Commit

Permalink
The /checkout endpoint should ignore CSRF
Browse files Browse the repository at this point in the history 
If this endpoint is not added to the ignore CSRF list then first time users will get an error when attempting checkout which is not preferrable.
Additionally there is no harm in not having the endpoint CSRF protected as there is no possible harm.
  • Loading branch information
@ThomBreugelmans @JoepdeJong
ThomBreugelmans authored and JoepdeJong committed May 27, 2024
1 parent 97ff661 commit 90744b5
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/main/java/ch/wisv/events/ChConnectConfiguration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
.csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringRequestMatchers("/api/v1/**")
.ignoringRequestMatchers("/api/v1/**", "/checkout")
)
.oauth2Login(oauth -> oauth
.userInfoEndpoint(userInfo -> userInfo
Expand Down

0 comments on commit 90744b5

Please sign in to comment.