From c484eb8c43eec1128f6a5ae8432181e800ca9a3c Mon Sep 17 00:00:00 2001
From: Chen-I Lim <chenilim@gmail.com>
Date: Fri, 5 Feb 2021 10:45:28 -0800
Subject: [PATCH] Don't require CSRF token for get files

---
 server/api/api.go        |  7 +++----
 webapp/src/octoClient.ts | 12 ++++++------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/server/api/api.go b/server/api/api.go
index 4953504b3..41d3d85e0 100644
--- a/server/api/api.go
+++ b/server/api/api.go
@@ -55,6 +55,8 @@ func (a *API) RegisterRoutes(r *mux.Router) {
 	apiv1.HandleFunc("/login", a.handleLogin).Methods("POST")
 	apiv1.HandleFunc("/register", a.handleRegister).Methods("POST")
 
+	apiv1.HandleFunc("/files", a.sessionRequired(a.handleUploadFile)).Methods("POST")
+
 	apiv1.HandleFunc("/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET")
 	apiv1.HandleFunc("/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST")
 
@@ -64,12 +66,9 @@ func (a *API) RegisterRoutes(r *mux.Router) {
 	apiv1.HandleFunc("/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET")
 	apiv1.HandleFunc("/workspace/regenerate_signup_token", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken)).Methods("POST")
 
-	// Files API
+	// Get Files API
 
 	files := r.PathPrefix("/files/").Subrouter()
-	files.Use(a.requireCSRFToken)
-
-	files.HandleFunc("/", a.sessionRequired(a.handleUploadFile)).Methods("POST")
 	files.HandleFunc("/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET")
 }
 
diff --git a/webapp/src/octoClient.ts b/webapp/src/octoClient.ts
index b6b45346a..8ae7fa538 100644
--- a/webapp/src/octoClient.ts
+++ b/webapp/src/octoClient.ts
@@ -232,14 +232,14 @@ class OctoClient {
         formData.append('file', file)
 
         try {
+            const headers = this.headers() as Record<string, string>
+
+            // TIPTIP: Leave out Content-Type here, it will be automatically set by the browser
+            delete headers['Content-Type']
+
             const response = await fetch(this.serverUrl + '/api/v1/files', {
                 method: 'POST',
-
-                // TIPTIP: Leave out Content-Type here, it will be automatically set by the browser
-                headers: {
-                    Accept: 'application/json',
-                    Authorization: this.token ? 'Bearer ' + this.token : '',
-                },
+                headers,
                 body: formData,
             })
             if (response.status !== 200) {