fix: #7115

6 years ago · 989879a6b5
parent 14c4552304
commit 989879a6b5
3 changed files with 12 additions and 4 deletions
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@ -57,7 +57,7 @@ apiController.loadConfig = function (req, callback) {
 	config.requireEmailConfirmation = meta.config.requireEmailConfirmation === 1;
 	config.topicPostSort = meta.config.topicPostSort || 'oldest_to_newest';
 	config.categoryTopicSort = meta.config.categoryTopicSort || 'newest_to_oldest';
-	config.csrf_token = req.csrfToken && req.csrfToken();
+	config.csrf_token = !req.isSpider() && req.csrfToken && req.csrfToken();
 	config.searchEnabled = plugins.hasListeners('filter:search.query');
 	config.bootswatchSkin = meta.config.bootswatchSkin || '';
 	config.enablePostHistory = (meta.config.enablePostHistory || 1) === 1;
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@ -32,7 +32,15 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };

-middleware.applyCSRF = csrf();
+const csrfMiddleware = csrf();
+
+middleware.applyCSRF = function(req, res, next) {
+	if (req.uid >= 0) {
+		csrfMiddleware(req, res, next);
+	} else {
+		setImmediate(next);
+	}
+};

 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');

--- a/src/webserver.js
+++ b/src/webserver.js
@ -174,8 +174,8 @@ function setupExpressApp(app, callback) {
 		secret: nconf.get('secret'),
 		key: nconf.get('sessionKey'),
 		cookie: setupCookie(),
-		resave: true,
-		saveUninitialized: true,
+		resave: nconf.get('sessionResave') || false,
+		saveUninitialized: nconf.get('sessionSaveUninitialized') || false,
 	}));

 	var hsts_option = {