feat(async): avoid sending CSRF token for async edge polling requests BE-1152 (#272)

2025-07-25 00:09:40 +02:00 · 2024-12-30 10:58:44 -03:00 · 2024-12-30 10:58:44 -03:00 · 0d52f9dd0e
commit 0d52f9dd0e
parent 3caffe1e85
3 changed files with 20 additions and 6 deletions
--- a/api/http/csrf/csrf.go
+++ b/api/http/csrf/csrf.go
@ -13,6 +13,12 @@ import (
 	"github.com/urfave/negroni"
 )

+const csrfSkipHeader = "X-CSRF-Token-Skip"
+
+func SkipCSRFToken(w http.ResponseWriter) {
+	w.Header().Set(csrfSkipHeader, "1")
+}
+
 func WithProtect(handler http.Handler) (http.Handler, error) {
 	// IsDockerDesktopExtension is used to check if we should skip csrf checks in the request bouncer (ShouldSkipCSRFCheck)
 	// DOCKER_EXTENSION is set to '1' in build/docker-extension/docker-compose.yml
@ -42,10 +48,14 @@ func withSendCSRFToken(handler http.Handler) http.Handler {
 		sw := negroni.NewResponseWriter(w)

 		sw.Before(func(sw negroni.ResponseWriter) {
-			statusCode := sw.Status()
-			if statusCode >= 200 && statusCode < 300 {
-				csrfToken := gorillacsrf.Token(r)
-				sw.Header().Set("X-CSRF-Token", csrfToken)
+			if len(sw.Header().Get(csrfSkipHeader)) > 0 {
+				sw.Header().Del(csrfSkipHeader)
+
+				return
+			}
+
+			if statusCode := sw.Status(); statusCode >= 200 && statusCode < 300 {
+				sw.Header().Set("X-CSRF-Token", gorillacsrf.Token(r))
 			}
 		})