Merge pull request #8411 from BerkeleyTrue/fix/csrf-camperbot

Remove csrf from api calls

server/middlewares/csurf.js

@@ -1,5 +1,12 @@
 import csurf from 'csurf';
 
 export default function() {
-  return csurf({ cookie: true });
+  const protection = csurf({ cookie: true });
+  return function csrf(req, res, next) {
+    const path = req.path.split('/')[1];
+    if (/api/.test(path)) {
+      return next();
+    }
+    return protection(req, res, next);
+  };
 }

server/middlewares/global-locals.js

@@ -2,7 +2,7 @@ export default function globalLocals() {
   return function(req, res, next) {
     // Make user object available in templates.
     res.locals.user = req.user;
-    res.locals._csrf = req.csrfToken();
+    res.locals._csrf = req.csrfToken ? req.csrfToken() : null;
     next();
   };
 }