Remove the need for CSRF check on ocs::getCurrentUser

[pierreozoux]

Fixes #5694

I tested on my server, and worked like a charm :)

I think in term of security it is fine to open this route. What do you think?

[rullzer]

Well yes this fixes it but it removes the CSRF protection... also it is not a generic approach we basically need to fix the middleware to not check for CSRF if the bearer auth is set much like the OCS-APIREQUEST header

[MorrisJobke]

The proper fix seems to be #7873 - @pierreozoux could you check if this works for you?

[rullzer]

Yes lets do it in #7873

[Dagefoerde]

@NoCSRFRequired would be fine here, though, wouldn't it? After all, that endpoint is purely informational and does not cause any side effects.
Nevertheless, for #5694 this fix wouldn't be sufficient. #7873, as a more general approach, looks more suited to me. (Haven't gotten around to testing that one against Moodle, yet, though. It's on my agenda.)

[rullzer]

@Dagefoerde well yes. However I'm not a fan of multiple hacks to fix the same issue ;) Also since it is not enough for #5694 fixing it properly and making sure if you chose to extend NC support in moodle with other endpoints this just works makes more sense imo :).

Looking forward to your review of #7873, THNX :)

[Dagefoerde]

not a fan of multiple hacks to fix the same issue
I agree, me neither ☺. My point is rather that this PR fixes an entirely different issue. It is just labeled as fixing the same one.

Regardless, for my (and Moodle's) needs the fix of #7873 is exactly the way to go, so thanks (again) for that, @rullzer.

In the present PR the real issue is that the @NoCSRFRequired is redundant here (in my opinion) and therefore might harm understanding of what @NoCSRFRequired is good for. But since functionality is unharmed it's at your discretion whether you incorporate this fix as well, or maybe even look for other instances of unneeded annotations.

[rullzer]

The CSRF protection is on by default. You have to add the annotation to disable it ;). So there is no @CSRFrequired annotation.

[Dagefoerde]

A right, it was the other way round. Sorry for that. So I have to revise: You could consider adding the @NoCSRFRequired here because it makes sense. But, as I said, it's not exactly necessary because everything works regardless.