How to Enable CSRF bypass in Ghost?

truekasun · March 30, 2025, 12:26pm

Hey there!

Can anyone point me on how to Enable CSRF bypass in Ghost?

ghost/core/core/server/services/auth/session/session-service.js

4708da00e


      
           */
          async function getUserForSession(req, res) {
              // CASE: we don't have a cookie header so allow fallthrough to other
              // auth middleware or final "ensure authenticated" check
              if (!req.headers || !req.headers.cookie) {
                  return null;
              }
          
              const session = await getSession(req, res);
              // Enable CSRF bypass (useful for OAuth for example)
              if (!res || !res.locals || !res.locals.bypassCsrfProtection) {
                  cookieCsrfProtection(req, session);
              }
          
              if (!session || !session.user_id) {
                  return null;
              }
          
              try {
                  const user = await findUserById({id: session.user_id});
                  return user;

Notes:

This is for development environments where I use devtunnels (hence the origin is different from localhost) Request made from incorrect origin. Expected 'http://localhost:2368' received 'https://{random-text-here}.asse.devtunnels.ms
I can comment out line 338 (and it solves the issue). But I’d like to know the proper way to do this.

Thank you in advance!
Kasun.

vikaspotluri123 · March 30, 2025, 10:06pm

It’s only used for testing:

I’m assuming that if you set your Ghost URL to the devtunnels URL, you won’t get this issue

truekasun · March 31, 2025, 2:43am

The problem is, the dev tunnels URLs (generated by VS Code) are random, and when I access the code server from a different client, it generates another URL.

Is there any workaround for this?

Topic		Replies	Views
User Authentication (Session based) on Ghost (Pro)? Integrations & API	3	691	July 22, 2023
Ghost as headless cms and React frontend Developer help	8	2370	May 24, 2019
Ghost Admin is a blank page with missing css and js but /blog is working Developer help	3	1482	November 22, 2018
Fetch posts without Ghost Admin API from Cloudflare Worker Developer help	5	1207	January 9, 2022
Add self signed SSL cert to ghost local development mode Developer help	7	1404	August 2, 2018

How to Enable CSRF bypass in Ghost?

Related topics