Use config flag to change whether token integrity is checked

ref KTLO-1 Allows us to get this out to self-hosters much faster
2024-08-22 22:07:33 +01:00 · 2024-08-22 22:07:33 +01:00 · 244e612f53
commit 244e612f53
parent 23c0882019
1 changed files with 11 additions and 4 deletions
--- a/ghost/core/core/server/services/members/middleware.js
+++ b/ghost/core/core/server/services/members/middleware.js
@ -169,19 +169,26 @@ const createIntegrityToken = async function createIntegrityToken(req, res) {
 };

 const verifyIntegrityToken = async function verifyIntegrityToken(req, res, next) {
+    const shouldThrowForInvalidToken = config.get('verifyRequestIntegrity');
    try {
        const token = req.body.integrityToken;
        if (!token) {
            logging.warn('Request with missing integrity token.');
-            // In future this will throw an error
-            return next();
+            if (shouldThrowForInvalidToken) {
+                throw new errors.BadRequestError();
+            } else {
+                return next();
+            }
        }
        if (membersService.requestIntegrityTokenProvider.validate(token)) {
            return next();
        } else {
            logging.warn('Request with invalid integrity token.');
-            // In future this will throw an error
-            return next();
+            if (shouldThrowForInvalidToken) {
+                throw new errors.BadRequestError();
+            } else {
+                return next();
+            }
        }
    } catch (err) {
        next(err);