Bypass CSRF token check when using access tokens

Fixes #1828.
2025-06-04 14:54:32 +08:00 · 2019-08-01 22:53:31 +02:00
parent 80546b9ed7
commit a737b98e7f
2 changed files with 31 additions and 1 deletions
--- a/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php
+++ b/tests/integration/api/csrf_protection/RequireCsrfTokenTest.php
@ -188,4 +188,34 @@ class RequireCsrfTokenTest extends TestCase
            $this->database()->table('settings')->where('key', 'csrf_test')->first()->value
        );
    }
+
+    /**
+     * @test
+     */
+    public function access_token_does_not_need_csrf_token()
+    {
+        $this->database()->table('access_tokens')->insert(
+            ['token' => 'myaccesstoken', 'user_id' => 1]
+        );
+
+        $response = $this->send(
+            $this->request(
+                'POST', '/api/settings',
+                [
+                    'json' => ['csrf_test' => 2],
+                ]
+            )->withHeader('Authorization', 'Token myaccesstoken')
+        );
+
+        // Successful response?
+        $this->assertEquals(204, $response->getStatusCode());
+
+        // Was the setting actually changed in the database?
+        $this->assertEquals(
+            2,
+            $this->database()->table('settings')->where('key', 'csrf_test')->first()->value
+        );
+
+        $this->database()->table('access_tokens')->where('token', 'myaccesstoken')->delete();
+    }
 }