mirror of
https://github.com/flarum/framework.git
synced 2024-11-30 13:36:10 +08:00
parent
51b33c8cab
commit
2fc2cd5863
|
@ -41,7 +41,6 @@ class AuthenticateWithHeader implements Middleware
|
|||
|
||||
$request = $request->withAttribute('apiKey', $key);
|
||||
$request = $request->withAttribute('bypassFloodgate', true);
|
||||
$request = $request->withAttribute('bypassCsrfToken', true);
|
||||
} elseif ($token = AccessToken::find($id)) {
|
||||
$token->touch();
|
||||
|
||||
|
@ -50,6 +49,7 @@ class AuthenticateWithHeader implements Middleware
|
|||
|
||||
if (isset($actor)) {
|
||||
$request = $request->withAttribute('actor', $actor);
|
||||
$request = $request->withAttribute('bypassCsrfToken', true);
|
||||
$request = $request->withoutAttribute('session');
|
||||
}
|
||||
}
|
||||
|
|
|
@ -190,4 +190,34 @@ class RequireCsrfTokenTest extends TestCase
|
|||
$this->database()->table('settings')->where('key', 'csrf_test')->first()->value
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function access_token_does_not_need_csrf_token()
|
||||
{
|
||||
$this->database()->table('access_tokens')->insert(
|
||||
['token' => 'myaccesstoken', 'user_id' => 1]
|
||||
);
|
||||
|
||||
$response = $this->send(
|
||||
$this->request(
|
||||
'POST', '/api/settings',
|
||||
[
|
||||
'json' => ['csrf_test' => 2],
|
||||
]
|
||||
)->withHeader('Authorization', 'Token myaccesstoken')
|
||||
);
|
||||
|
||||
// Successful response?
|
||||
$this->assertEquals(204, $response->getStatusCode());
|
||||
|
||||
// Was the setting actually changed in the database?
|
||||
$this->assertEquals(
|
||||
2,
|
||||
$this->database()->table('settings')->where('key', 'csrf_test')->first()->value
|
||||
);
|
||||
|
||||
$this->database()->table('access_tokens')->where('token', 'myaccesstoken')->delete();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user