From 244e612f53077c2d0424819df3cc920efd81abfd Mon Sep 17 00:00:00 2001
From: Sam Lord <sam@ghost.org>
Date: Thu, 22 Aug 2024 22:07:33 +0100
Subject: [PATCH] Use config flag to change whether token integrity is checked

ref KTLO-1
Allows us to get this out to self-hosters much faster
---
 .../core/server/services/members/middleware.js    | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/ghost/core/core/server/services/members/middleware.js b/ghost/core/core/server/services/members/middleware.js
index ffc3ce54dc..8dd3bd4e1d 100644
--- a/ghost/core/core/server/services/members/middleware.js
+++ b/ghost/core/core/server/services/members/middleware.js
@@ -169,19 +169,26 @@ const createIntegrityToken = async function createIntegrityToken(req, res) {
 };
 
 const verifyIntegrityToken = async function verifyIntegrityToken(req, res, next) {
+    const shouldThrowForInvalidToken = config.get('verifyRequestIntegrity');
     try {
         const token = req.body.integrityToken;
         if (!token) {
             logging.warn('Request with missing integrity token.');
-            // In future this will throw an error
-            return next();
+            if (shouldThrowForInvalidToken) {
+                throw new errors.BadRequestError();
+            } else {
+                return next();
+            }
         }
         if (membersService.requestIntegrityTokenProvider.validate(token)) {
             return next();
         } else {
             logging.warn('Request with invalid integrity token.');
-            // In future this will throw an error
-            return next();
+            if (shouldThrowForInvalidToken) {
+                throw new errors.BadRequestError();
+            } else {
+                return next();
+            }
         }
     } catch (err) {
         next(err);