diff --git a/api-server/server/boot/donate.js b/api-server/server/boot/donate.js
index e3680d2b2a..33e2c80fcc 100644
--- a/api-server/server/boot/donate.js
+++ b/api-server/server/boot/donate.js
@@ -20,6 +20,7 @@ const log = debug('fcc:boot:donate');
 
 export default function donateBoot(app, done) {
   let stripe = false;
+  const { User } = app.models;
   const api = app.loopback.Router();
   const hooks = app.loopback.Router();
   const donateRouter = app.loopback.Router();
@@ -120,6 +121,22 @@ export default function donateBoot(app, done) {
       });
     }
 
+    const fccUser = user
+      ? Promise.resolve(user)
+      : new Promise((resolve, reject) =>
+          User.findOrCreate(
+            { where: { email } },
+            { email },
+            (err, instance, isNew) => {
+              log('createing a new donating user instance: ', isNew);
+              if (err) {
+                return reject(err);
+              }
+              return resolve(instance);
+            }
+          )
+        );
+
     let donatingUser = {};
     let donation = {
       email,
@@ -169,12 +186,12 @@ export default function donateBoot(app, done) {
         });
     };
 
-    return Promise.resolve(user)
+    return Promise.resolve(fccUser)
       .then(nonDonatingUser => {
         const { isDonating } = nonDonatingUser;
-        if (isDonating) {
+        if (isDonating && duration !== 'onetime') {
           throw {
-            message: `User already has active donation(s).`,
+            message: `User already has active recurring donation(s).`,
             type: 'AlreadyDonatingError'
           };
         }
diff --git a/api-server/server/middlewares/csurf.js b/api-server/server/middlewares/csurf.js
index 996f86be76..7229e4194f 100644
--- a/api-server/server/middlewares/csurf.js
+++ b/api-server/server/middlewares/csurf.js
@@ -8,7 +8,12 @@ export default function() {
   });
   return function csrf(req, res, next) {
     const { path } = req;
-    if (/^\/hooks\/update-paypal$|^\/hooks\/update-stripe$/.test(path)) {
+    if (
+      // eslint-disable-next-line max-len
+      /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$|^\/donate\/charge-stripe$/.test(
+        path
+      )
+    ) {
       return next();
     }
     return protection(req, res, next);
diff --git a/api-server/server/middlewares/request-authorization.js b/api-server/server/middlewares/request-authorization.js
index 160838262c..3aa8ad486c 100644
--- a/api-server/server/middlewares/request-authorization.js
+++ b/api-server/server/middlewares/request-authorization.js
@@ -25,6 +25,9 @@ const unsubscribedRE = /^\/unsubscribed\//;
 const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//;
 const updateHooksRE = /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$/;
 
+// note: this would be replaced by webhooks later
+const donateRE = /^\/donate\/charge-stripe$/;
+
 const _whiteListREs = [
   authRE,
   confirmEmailRE,
@@ -37,7 +40,8 @@ const _whiteListREs = [
   statusRE,
   unsubscribedRE,
   unsubscribeRE,
-  updateHooksRE
+  updateHooksRE,
+  donateRE
 ];
 
 export function isWhiteListedPath(path, whiteListREs = _whiteListREs) {