fixes incorrectly applied doubleCsrf to REST routes

2023-08-10 15:54:01 -05:00 · 2023-08-10 15:54:01 -05:00 · c05bfefba4
parent 9b184ab245
commit c05bfefba4
1 changed files with 4 additions and 7 deletions
--- a/src/admin/routes.ts
+++ b/src/admin/routes.ts
@ -15,13 +15,10 @@ adminRouter.use(
 adminRouter.use(cookieParser());
 adminRouter.use(injectCsrfToken);

-adminRouter.use("/", checkCsrfToken, loginRouter);
 adminRouter.use("/users", authorize({ via: "header" }), apiRouter);
-adminRouter.use(
-  "/manage",
-  authorize({ via: "cookie" }),
-  checkCsrfToken,
-  uiRouter
-);
+
+adminRouter.use(checkCsrfToken); // All UI routes require CSRF token
+adminRouter.use("/", loginRouter);
+adminRouter.use("/manage", authorize({ via: "cookie" }), uiRouter);

 export { adminRouter };