Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00
Code Issues Activity

Removed ssoOriginCheck from signout endpoint (#10277)

Browse source 
no-issue

the ssoOriginCheck exists to ensure that we only allow signin/signup to
be called from the specified auth page, this is a very minor security
feature in that it forces signins to go via the page you've designated.
signout however does not need this protection as the call to signout
completely bypasses any UI (this is the same for the call to /token)
This commit is contained in:
Fabien O'Carroll 2018-12-14 13:56:31 +07:00 committed by Rishabh Garg
parent 2d92793b3f
commit 7dd2b04343
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/server/lib/members/index.js
View file

@ -140,7 +140,7 @@ module.exports = function MembersApi({
}).catch(handleError(401, res));
});
apiRouter.post('/signout', getData(), ssoOriginCheck, (req, res) => {
apiRouter.post('/signout', getData(), (req, res) => {
res.writeHead(200, {
'Set-Cookie': removeCookie()
});