From afb10eb73310574fe42ac3816e9b3d3889927acd Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 19 Jul 2018 09:16:23 +0200
Subject: [PATCH 2/9] api: do not do CSRF check on validate-password API
 (#24439)

This API is public.
---
 src/authentic2/api_views.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/authentic2/api_views.py b/src/authentic2/api_views.py
index 62d5b139..1c6c6f6b 100644
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@@ -22,6 +22,7 @@ from rest_framework import permissions, status
 from rest_framework.exceptions import PermissionDenied, AuthenticationFailed
 from rest_framework.fields import CreateOnlyDefault
 from rest_framework.decorators import list_route, detail_route
+from rest_framework.authentication import SessionAuthentication
 
 from django_filters.rest_framework import FilterSet
 
@@ -720,12 +721,19 @@ class CheckPasswordAPI(BaseRpcView):
 check_password = CheckPasswordAPI.as_view()
 
 
+class CsrfExemptSessionAuthentication(SessionAuthentication):
+    def enforce_csrf(self, request):
+        return  # To not perform the csrf check previously happening
+
+
 class ValidatePasswordSerializer(serializers.Serializer):
     password = serializers.CharField(required=True)
 
 
+
 class ValidatePasswordAPI(BaseRpcView):
     permission_classes = ()
+    authentication_classes = (CsrfExemptSessionAuthentication,)
     serializer_class = ValidatePasswordSerializer
 
     def rpc(self, request, serializer):
-- 
2.18.0