Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mark the refresh access token view as exempt from CSRF protection.

Browse Source
This commit is contained in:
Douglas Hall
2018-10-12 16:00:34 -04:00
parent 969728874b
commit 4817dd3f61
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
openedx/core/djangoapps/user_authn/views/login.py
View File

@@ -14,7 +14,7 @@ from django.contrib.auth.models import User
from django.urls import reverse
from django.http import HttpResponse
from django.utils.translation import ugettext as _
from django.views.decorators.csrf import ensure_csrf_cookie
from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
from django.views.decorators.http import require_http_methods
from ratelimitbackend.exceptions import RateLimitException
@@ -398,7 +398,11 @@ def login_user(request):
return JsonResponse(error.get_response())
@ensure_csrf_cookie
# CSRF protection is not needed here because the only side effect
# of this endpoint is to refresh the cookie-based JWT, and attempting
# to get a CSRF token before we need to refresh adds too much
# complexity.
@csrf_exempt
@require_http_methods(['POST'])
def login_refresh(request):
try: