Open akhil1508 opened 4 months ago
Is it okay to get CSRF token using /csrftoken
route and then re-use the session associated with this along with BEARER token authentication? My use case is accessing notes API route from a mobile client using BEARER token authentication with SSO.
There is a @NoCSRFRequired
annotation for these routes though
Is it secure to skip this CORS check as we do in https://github.com/nextcloud/server/commit/2fb703dfdac399972305c7180f2940d1aaf15b9f for AppAPI
requests?
if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('is_oidc') === true) {
return;
}
⚠️ This issue respects the following points: ⚠️
Bug description
Steps to reproduce
Apply the following patch using
patch -u custom_apps/oidc_login/lib/AppInfo/Application.php -i oidc_api.patch