Backport #5250 on v1.6: Fix Issue 5249 and protect /api/v1/admin routes with CSRF token (#5272)

* Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware
2025-08-12 04:28:21 +00:00 · 2018-11-04 15:42:15 +00:00
parent f95c966770
commit c0bbbdd30b
5 changed files with 32 additions and 10 deletions
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"strings"

+	"github.com/go-macaron/csrf"
+
 	"code.gitea.io/git"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/base"
@@ -97,6 +99,17 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }

+// RequireCSRF requires a validated a CSRF token
+func (ctx *APIContext) RequireCSRF() {
+	headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName())
+	formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName())
+	if len(headerToken) > 0 || len(formValueToken) > 0 {
+		csrf.Validate(ctx.Context.Context, ctx.csrf)
+	} else {
+		ctx.Context.Error(401)
+	}
+}
+
 // APIContexter returns apicontext as macaron middleware
 func APIContexter() macaron.Handler {
 	return func(c *Context) {