From 2936dc87d074e6d83147c9e6cf4ae8bac4e4af8d Mon Sep 17 00:00:00 2001
From: Daniel Schalla <daniel@schalla.me>
Date: Thu, 2 Aug 2018 00:16:04 +0200
Subject: CSRF Token Implementation for Plugins (#9192)

deleted test config

fix test config

Dont wipe the session token for plugins

Simplified Tokens; Generate CSRF for other sessions

Remove CSRF from Access Token; Remove Getter/Setter from Context

fix removed setter

remove getcsrf helper from plugin api

enforce csrf only for cookie auth
---
 app/oauth.go | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/oauth.go')

diff --git a/app/oauth.go b/app/oauth.go
index 60ea39255..a0123c0e9 100644
--- a/app/oauth.go
+++ b/app/oauth.go
@@ -334,6 +334,7 @@ func (a *App) GetOAuthAccessTokenForCodeFlow(clientId, grantType, redirectUri, c
 func (a *App) newSession(appName string, user *model.User) (*model.Session, *model.AppError) {
 	// set new token an session
 	session := &model.Session{UserId: user.Id, Roles: user.Roles, IsOAuth: true}
+	session.GenerateCSRF()
 	session.SetExpireInDays(*a.Config().ServiceSettings.SessionLengthSSOInDays)
 	session.AddProp(model.SESSION_PROP_PLATFORM, appName)
 	session.AddProp(model.SESSION_PROP_OS, "OAuth2")
-- 
cgit v1.2.3-1-g7c22