feat: require csrf token if not using bearer token

2025-11-10 07:55:46 +01:00 · 2020-10-13 16:58:44 -04:00
parent 30b3fedca4
commit 1e07886f30
3 changed files with 10 additions and 1 deletions
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -34,6 +34,10 @@ module.exports = function (middleware) {
 		const loginAsync = util.promisify(req.login).bind(req);

 		if (req.loggedIn) {
+			if (res.locals.isAPI) {
+				await middleware.applyCSRFasync(req, res);
+			}
+
 			return true;
 		} else if (req.headers.hasOwnProperty('authorization')) {
 			const user = await passportAuthenticateAsync(req, res);