fixed routes exceptions for teams com

2026-02-13 12:37:22 +01:00 · 2026-02-13 12:37:22 +01:00 · 0a9347cdd2
commit 0a9347cdd2
parent 722728720e
1 changed files with 12 additions and 2 deletions
--- a/modules/auth/csrf.py
+++ b/modules/auth/csrf.py
@ -27,8 +27,13 @@ class CSRFMiddleware(BaseHTTPMiddleware):
            "/api/msft/login",
            "/api/google/login",
            "/api/msft/callback",
-            "/api/google/callback"
+            "/api/google/callback",
        }
+
+        # Path prefixes exempt from CSRF (for service-to-service callbacks)
+        self._exemptPrefixes = [
+            "/api/teamsbot/",  # .NET Media Bridge callbacks (bridge/status, bridge/audio)
+        ]
        
        # State-changing HTTP methods that require CSRF protection
        self.protected_methods = {"POST", "PUT", "DELETE", "PATCH"}
@ -37,9 +42,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
        """
        Check CSRF token for state-changing operations.
        """
-        # Skip CSRF check for exempt paths
+        # Skip CSRF check for exempt paths (exact match)
        if request.url.path in self.exempt_paths:
            return await call_next(request)
+
+        # Skip CSRF check for exempt path prefixes (bridge callbacks etc.)
+        if any(request.url.path.startswith(p) for p in self._exemptPrefixes):
+            if "/bridge/" in request.url.path:
+                return await call_next(request)
        
        # Skip CSRF check for non-state-changing methods
        if request.method not in self.protected_methods: