From 65c5504193010396f3be00fbfdf9eb0dd576641a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Sun, 28 Nov 2021 07:31:09 -0500
Subject: [PATCH] fix: 403/400/500 page not generating csrf_token

---
 src/controllers/404.js    | 4 ----
 src/controllers/errors.js | 3 ---
 src/middleware/admin.js   | 3 +++
 src/middleware/header.js  | 3 +++
 src/routes/helpers.js     | 1 -
 5 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/controllers/404.js b/src/controllers/404.js
index c364ccd3fc..3843d6bace 100644
--- a/src/controllers/404.js
+++ b/src/controllers/404.js
@@ -55,10 +55,6 @@ exports.send404 = async function (req, res) {
 		});
 	}
 
-	if (req.method === 'GET') {
-		await middleware.applyCSRFasync(req, res);
-	}
-
 	await middleware.buildHeaderAsync(req, res);
 	await res.render('404', {
 		path: validator.escape(path),
diff --git a/src/controllers/errors.js b/src/controllers/errors.js
index 81e7fddebd..58f12d9f98 100644
--- a/src/controllers/errors.js
+++ b/src/controllers/errors.js
@@ -79,9 +79,6 @@ exports.handleErrors = async function handleErrors(err, req, res, next) { // esl
 		if (res.locals.isAPI) {
 			res.json(data);
 		} else {
-			if (req.method === 'GET') {
-				await middleware.applyCSRFasync(req, res);
-			}
 			await middleware.buildHeaderAsync(req, res);
 			res.render('500', data);
 		}
diff --git a/src/middleware/admin.js b/src/middleware/admin.js
index bfce0c2d83..47bbbc50ed 100644
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@@ -22,6 +22,9 @@ const middleware = module.exports;
 
 middleware.buildHeader = helpers.try(async (req, res, next) => {
 	res.locals.renderAdminHeader = true;
+	if (req.method === 'GET') {
+		await require('./index').applyCSRFasync(req, res);
+	}
 	res.locals.config = await controllers.api.loadConfig(req);
 	next();
 });
diff --git a/src/middleware/header.js b/src/middleware/header.js
index 1cd7838625..28a8c36119 100644
--- a/src/middleware/header.js
+++ b/src/middleware/header.js
@@ -31,6 +31,9 @@ const relative_path = nconf.get('relative_path');
 middleware.buildHeader = helpers.try(async (req, res, next) => {
 	res.locals.renderHeader = true;
 	res.locals.isAPI = false;
+	if (req.method === 'GET') {
+		await require('./index').applyCSRFasync(req, res);
+	}
 	const [config, canLoginIfBanned] = await Promise.all([
 		controllers.api.loadConfig(req),
 		user.bans.canLoginIfBanned(req.uid),
diff --git a/src/routes/helpers.js b/src/routes/helpers.js
index 2f928599bc..b6ed0a7d2b 100644
--- a/src/routes/helpers.js
+++ b/src/routes/helpers.js
@@ -32,7 +32,6 @@ helpers.setupPageRoute = function (router, name, middleware, middlewares, contro
 	router.get(
 		name,
 		middleware.busyCheck,
-		middleware.applyCSRF,
 		middlewares,
 		middleware.buildHeader,
 		helpers.tryRoute(controller)