From 1e07886f30b8b458c2dbe15e14bbd6b4df499d7f Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 13 Oct 2020 16:58:44 -0400
Subject: [PATCH] feat: require csrf token if not using bearer token

---
 public/src/modules/api.js | 6 +++++-
 src/middleware/index.js   | 1 +
 src/middleware/user.js    | 4 ++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/public/src/modules/api.js b/public/src/modules/api.js
index 374c36b95c..26796c07df 100644
--- a/public/src/modules/api.js
+++ b/public/src/modules/api.js
@@ -5,7 +5,11 @@ define('api', () => {
 	const baseUrl = config.relative_path + '/api/v3';
 
 	function call(options, onSuccess, onError) {
-		$.ajax(options)
+		$.ajax(Object.assign({
+			headers: {
+				'x-csrf-token': config.csrf_token,
+			},
+		}, options))
 			.done((res) => {
 				if (onSuccess) {
 					onSuccess(res.response);
diff --git a/src/middleware/index.js b/src/middleware/index.js
index ee01b0b30c..98eb224e33 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -48,6 +48,7 @@ middleware.applyCSRF = function (req, res, next) {
 		next();
 	}
 };
+middleware.applyCSRFasync = util.promisify(middleware.applyCSRF);
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 
diff --git a/src/middleware/user.js b/src/middleware/user.js
index 8babf6007f..5c8d9caa76 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -34,6 +34,10 @@ module.exports = function (middleware) {
 		const loginAsync = util.promisify(req.login).bind(req);
 
 		if (req.loggedIn) {
+			if (res.locals.isAPI) {
+				await middleware.applyCSRFasync(req, res);
+			}
+
 			return true;
 		} else if (req.headers.hasOwnProperty('authorization')) {
 			const user = await passportAuthenticateAsync(req, res);