coop/account
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Exempt oauth/token from CSRF — server-to-server API endpoint
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 48s
Details

Browse Source 
External clients like artdag POST to this endpoint from their
backend, so there's no browser session with a CSRF token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
2026-02-24 01:06:19 +00:00
parent 12822fbd52
commit 3e0669a335
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bp/auth/routes.py
View File

@@ -123,6 +123,9 @@ def register(url_prefix="/auth"):
# --- OAuth2 token exchange (for external clients like artdag) ------------- # --- OAuth2 token exchange (for external clients like artdag) -------------
from shared.browser.app.csrf import csrf_exempt
@csrf_exempt
@auth_bp.post("/oauth/token") @auth_bp.post("/oauth/token")
@auth_bp.post("/oauth/token/") @auth_bp.post("/oauth/token/")
async def oauth_token(): async def oauth_token():