- I want to setup apps using app_api
- In CORSMiddleware.php, I see a comment like the below:
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
-
I see in server/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php at 7442a88ac83f00051fbc8592c34819fa9d27764e · nextcloud/server · GitHub that the CSRF check is skipped when the session contains
'app_api'set totrue -
For any other CORs request that doesn’t pass the BASIC auth requirement I see an error like
CORS requires basic auth -
I want to setup and use the
app_apiapps but I want to confirm if skipping this check in the nextcloud codebase is safe. If so, why is it safe?