From 90744b53bfe4e659638ae865fb6e7288a8767c72 Mon Sep 17 00:00:00 2001
From: Thom Breugelmans <thombreugelmans@outlook.com>
Date: Mon, 27 May 2024 19:47:30 +0200
Subject: [PATCH] The /checkout endpoint should ignore CSRF

If this endpoint is not added to the ignore CSRF list then first time users will get an error when attempting checkout which is not preferrable.
Additionally there is no harm in not having the endpoint CSRF protected as there is no possible harm.
---
 src/main/java/ch/wisv/events/ChConnectConfiguration.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/ch/wisv/events/ChConnectConfiguration.java b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
index d33fefb3..4eef2279 100644
--- a/src/main/java/ch/wisv/events/ChConnectConfiguration.java
+++ b/src/main/java/ch/wisv/events/ChConnectConfiguration.java
@@ -81,7 +81,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .csrf(csrf -> csrf
                     .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
                     .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
-                    .ignoringRequestMatchers("/api/v1/**")
+                    .ignoringRequestMatchers("/api/v1/**", "/checkout")
                 )
                 .oauth2Login(oauth -> oauth
                     .userInfoEndpoint(userInfo -> userInfo