Exclude /api/v1/login/facebook from CSRF protection #83

divad12 · 2014-02-27T20:46:52Z

Due to turning on CSRF protection in #63, POSTing to /api/v1/login/facebook from our Android app returns a 403 Forbidden. We need to exclude this endpoint from CSRF protection and have it return the CSRF token.

Also need to ensure this endpoint is a no-op if user is already logged in, else a CSRF attack on this endpoint would allow an attacker to login a user's browser to the attacker's account.

The text was updated successfully, but these errors were encountered:

divad12 added the bug label Feb 27, 2014

divad12 self-assigned this Feb 27, 2014

divad12 added the started label Mar 2, 2014

divad12 mentioned this issue Mar 2, 2014

Exclude /api/v1/login/facebook from CSRF protection #100

Merged

divad12 closed this as completed in #100 Mar 3, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Exclude /api/v1/login/facebook from CSRF protection #83

Exclude /api/v1/login/facebook from CSRF protection #83

divad12 commented Feb 27, 2014

Exclude /api/v1/login/facebook from CSRF protection #83

Exclude /api/v1/login/facebook from CSRF protection #83

Comments

divad12 commented Feb 27, 2014