Exclude Fence register-user blueprint from CSRF check (#1580)

uc-cdis · Apr 26, 2021 · fb77af1 · fb77af1
1 parent aa78400
commit fb77af1
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/kube/services/revproxy/gen3.nginx.conf/fence-service.conf b/kube/services/revproxy/gen3.nginx.conf/fence-service.conf
@@ -31,6 +31,16 @@ location /user/ {
     proxy_pass $upstream;
 }
 
+location /user/register-user {
+    # Like /user/ but without CSRF check. Registration form submission is
+    # incompatible with revproxy-level cookie-to-header CSRF check.
+    # Fence enforces its own CSRF protection here so this is OK.
+    set $proxy_service  "${fence_release_name}";
+    set $upstream http://${fence_release_name}-service$des_domain;
+    rewrite ^/user/(.*) /$1 break;
+    proxy_pass $upstream;
+}
+
 location /user/data/download {
     if ($csrf_check !~ ^ok-\S.+$) {
       return 403 "failed csrf check";