Disable CSRF token check for HTTP git pull

Git pull uses a POST request, which is treated as a write request and the CSRF token is checked. However, no modification to the server is made by git pulls, as far as I know (actually I'm not sure why it uses a POST). The entire response is handled by the git command, and the client side is usually the git command running in the terminal, there's no session and no cookies (as far as I know). So I'm just disabling CSRF token checking for this route.
2024-12-27 19:24:52 +09:00 · 2018-07-01 15:04:33 +00:00 · 2018-07-01 15:04:33 +00:00 · a1d0b8402e
commit a1d0b8402e
parent c420b8d8ea
1 changed files with 14 additions and 3 deletions
--- a/src/Vervis/Foundation.hs
+++ b/src/Vervis/Foundation.hs
@ -109,10 +109,21 @@ instance Yesod App where
    --   a) Sets a cookie with a CSRF token in it.
    --   b) Validates that incoming write requests include that token in either a header or POST parameter.
    -- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
-    yesodMiddleware =
-        defaultCsrfMiddleware .
+    yesodMiddleware
        -- sslOnlyMiddleware 120 .
-        defaultYesodMiddleware
+        = defaultCsrfSetCookieMiddleware
+        . (\ handler ->
+            csrfCheckMiddleware
+                handler
+                (getCurrentRoute >>= \ mr -> case mr of
+                    Nothing                      -> return False
+                    Just (GitUploadRequestR _ _) -> return False
+                    Just r                       -> isWriteRequest r
+                )
+                defaultCsrfHeaderName
+                defaultCsrfParamName
+          )
+        . defaultYesodMiddleware

    defaultLayout widget = do
        master <- getYesod