Don't require CSRF token for get files

server/api/api.go

@@ -55,6 +55,8 @@ func (a *API) RegisterRoutes(r *mux.Router) {
 	apiv1.HandleFunc("/login", a.handleLogin).Methods("POST")
 	apiv1.HandleFunc("/register", a.handleRegister).Methods("POST")
 
+	apiv1.HandleFunc("/files", a.sessionRequired(a.handleUploadFile)).Methods("POST")
+
 	apiv1.HandleFunc("/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET")
 	apiv1.HandleFunc("/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST")
 
@@ -64,12 +66,9 @@ func (a *API) RegisterRoutes(r *mux.Router) {
 	apiv1.HandleFunc("/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET")
 	apiv1.HandleFunc("/workspace/regenerate_signup_token", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken)).Methods("POST")
 
-	// Files API
+	// Get Files API
 
 	files := r.PathPrefix("/files/").Subrouter()
-	files.Use(a.requireCSRFToken)
-
-	files.HandleFunc("/", a.sessionRequired(a.handleUploadFile)).Methods("POST")
 	files.HandleFunc("/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET")
 }
 

webapp/src/octoClient.ts

@@ -232,14 +232,14 @@ class OctoClient {
         formData.append('file', file)
 
         try {
+            const headers = this.headers() as Record<string, string>
+
+            // TIPTIP: Leave out Content-Type here, it will be automatically set by the browser
+            delete headers['Content-Type']
+
             const response = await fetch(this.serverUrl + '/api/v1/files', {
                 method: 'POST',
-
-                // TIPTIP: Leave out Content-Type here, it will be automatically set by the browser
-                headers: {
-                    Accept: 'application/json',
-                    Authorization: this.token ? 'Bearer ' + this.token : '',
-                },
+                headers,
                 body: formData,
             })
             if (response.status !== 200) {