PowerOn/gateway
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #94 from valueonag/feat/auxiliaries2

Browse source 
fixed routes exceptions for teams com
This commit is contained in:
Patrick Motsch 2026-02-13 12:37:53 +01:00 committed by GitHub
commit 0d1c30d4c6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
modules/auth/csrf.py
View file

@ -27,8 +27,13 @@ class CSRFMiddleware(BaseHTTPMiddleware):
"/api/msft/login", "/api/msft/login",
"/api/google/login", "/api/google/login",
"/api/msft/callback", "/api/msft/callback",
"/api/google/callback" "/api/google/callback",
} }
# Path prefixes exempt from CSRF (for service-to-service callbacks)
self._exemptPrefixes = [
"/api/teamsbot/", # .NET Media Bridge callbacks (bridge/status, bridge/audio)
]
# State-changing HTTP methods that require CSRF protection # State-changing HTTP methods that require CSRF protection
self.protected_methods = {"POST", "PUT", "DELETE", "PATCH"} self.protected_methods = {"POST", "PUT", "DELETE", "PATCH"}
@ -37,9 +42,14 @@ class CSRFMiddleware(BaseHTTPMiddleware):
""" """
Check CSRF token for state-changing operations. Check CSRF token for state-changing operations.
""" """
# Skip CSRF check for exempt paths # Skip CSRF check for exempt paths (exact match)
if request.url.path in self.exempt_paths: if request.url.path in self.exempt_paths:
return await call_next(request) return await call_next(request)
# Skip CSRF check for exempt path prefixes (bridge callbacks etc.)
if any(request.url.path.startswith(p) for p in self._exemptPrefixes):
if "/bridge/" in request.url.path:
return await call_next(request)
# Skip CSRF check for non-state-changing methods # Skip CSRF check for non-state-changing methods
if request.method not in self.protected_methods: if request.method not in self.protected_methods: