Fix X-CMS-Authorization auth, and disable xsrf protection for it.

veluca93 · veluca93 · commit ba3762f3d0a2 · 2025-06-23T16:58:42.000+02:00
diff --git a/cms/server/contest/handlers/contest.py b/cms/server/contest/handlers/contest.py
@@ -159,6 +159,11 @@ def get_current_user(self) -> Participation | None:
         """
         cookie_name = self.contest.name + "_login"
         cookie = self.get_secure_cookie(cookie_name)
+        authorization_header = self.request.headers.get(
+            "X-CMS-Authorization", None)
+        if authorization_header is not None:
+            authorization_header = tornado_web.decode_signed_value(self.application.settings["cookie_secret"],
+                                                                   cookie_name, authorization_header)
 
         try:
             ip_address = ipaddress.ip_address(self.request.remote_ip)
@@ -170,7 +175,7 @@ def get_current_user(self) -> Participation | None:
         participation, cookie = authenticate_request(
             self.sql_session, self.contest,
             self.timestamp, cookie,
-            self.request.headers.get("X-CMS-Authorization", None),
+            authorization_header,
             ip_address)
 
         if cookie is None:
@@ -309,6 +314,14 @@ def notify_warning(
     def notify_error(self, subject: str, text: str, text_params: object | None = None):
         self.add_notification(subject, text, NOTIFICATION_ERROR, text_params)
 
+    def check_xsrf_cookie(self):
+        # We don't need to check for xsrf if the request came with a custom
+        # header, as those are not set by the browser.
+        if "X-CMS-Authorization" in self.request.headers:
+            pass
+        else:
+            super().check_xsrf_cookie()
+
 
 class FileHandler(ContestHandler, FileHandlerMixin):
     pass
