FEATURE: Flag to disable DiscourseConnect CSRF protection (#12356)

This is not recommended. But if you have other protections in place for CSRF mitigation, you may wish to disable Discourse's implementation. This site setting is not visible in the UI, and must be changed via the console.
2025-05-24 03:36:18 +08:00 · 2021-03-11 10:38:34 +00:00
parent 593edc43c5
commit 0902e56162
3 changed files with 40 additions and 4 deletions
--- a/spec/models/discourse_single_sign_on_spec.rb
+++ b/spec/models/discourse_single_sign_on_spec.rb
@ -375,10 +375,27 @@ describe DiscourseSingleSignOn do
    sso = DiscourseSingleSignOn.parse(payload, secure_session: secure_session)
    expect(sso.nonce_valid?).to eq true

+    other_session_sso = DiscourseSingleSignOn.parse(payload, secure_session: SecureSession.new("differentsession"))
+    expect(other_session_sso.nonce_valid?).to eq false
+
    sso.expire_nonce!

    expect(sso.nonce_valid?).to eq false
+  end

+  it "allows disabling CSRF protection" do
+    SiteSetting.discourse_connect_csrf_protection = false
+    _ , payload = DiscourseSingleSignOn.generate_url(secure_session: secure_session).split("?")
+
+    sso = DiscourseSingleSignOn.parse(payload, secure_session: secure_session)
+    expect(sso.nonce_valid?).to eq true
+
+    other_session_sso = DiscourseSingleSignOn.parse(payload, secure_session: SecureSession.new("differentsession"))
+    expect(other_session_sso.nonce_valid?).to eq true
+
+    sso.expire_nonce!
+
+    expect(sso.nonce_valid?).to eq false
  end

  it "generates a correct sso url" do