[RFC] Exempt the API from CSRF protections

[TheLonelyGhost]

Description:

Currently the bots call out to a non-existent API endpoint to harvest a CSRF token, then call to the appropriate API. That results in lots of errors generated. I'm arguing here that it isn't necessary to protect the API like that.

Given CSRF protection is an anti-bot measure, an API by nature is intended for bots, and we are already authenticating every request with an API token, applying exemptions to all authenticated API endpoints seems prudent.

Checklist:

• [x] Code Quality
• [x] Pep-8
• [x] Tests (if applicable)
• [x] Success Criteria Met
• [ ] Inline Documentation
• [x] Wiki Documentation (if applicable)

[MaxVanDeursen]

Would this mean that the functionality within the Blossom wrapper does not work anymore? If this is the case, we should make sure to deploy a bump in versions for both Blossom, her wrapper, and all applications in tandem.

[TheLonelyGhost]

Good question. I wouldn't expect it would and I suspect it would just ignore whether someone has sent a valid CSRF. Would have to test to be certain, so I'll post here once I do that 😄.

[itsthejoker]

@TheLonelyGhost any movement here?

[TheLonelyGhost]

Just tested and it looks like it works okay regardless of if csrf token is passed: