CSRF skipper only for GET *.js request (#627)

Signed-off-by: Thomas Miceli <tho.miceli@gmail.com>
2026-03-02 14:05:45 +07:00
parent 42490f2995
commit 829cd68879
1 changed files with 1 additions and 2 deletions
--- a/internal/web/server/middlewares.go
+++ b/internal/web/server/middlewares.go
@@ -72,7 +72,7 @@ func (s *Server) registerMiddlewares() {
 				/* skip CSRF for git clients */
 				matchUploadPack, _ := regexp.MatchString("(.*?)/git-upload-pack$", ctx.Request().URL.Path)
 				matchReceivePack, _ := regexp.MatchString("(.*?)/git-receive-pack$", ctx.Request().URL.Path)
-				return filepath.Ext(gistName) == ".js" || matchUploadPack || matchReceivePack
+				return (filepath.Ext(gistName) == ".js" && ctx.Request().Method == "GET") || matchUploadPack || matchReceivePack
 			},
 			ErrorHandler: func(err error, c echo.Context) error {
 				log.Info().Err(err).Msg("CSRF error")
@@ -320,7 +320,6 @@ func csrfInit(next Handler) Handler {
 			csrf = csrfToken
 		}
 		ctx.SetData("csrfHtml", template.HTML(`<input type="hidden" name="_csrf" value="`+csrf+`">`))
-		ctx.SetData("csrfHtml", template.HTML(`<input type="hidden" name="_csrf" value="`+csrf+`">`))

 		return next(ctx)
 	}