Merge pull request #113 from jmortlock/master

API mode will not define the verify_authenticity_token action
doorkeeper-gem · May 25, 2020 · e8ce8fa · e8ce8fa
2 parents a97bf0d + c50a59a
commit e8ce8fa
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Unreleased
 
+- [#114] Fix user_info endpoint when used in api mode
+
 ## v1.7.2 (2020-05-20)
 
 ### Changes

diff --git a/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb b/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
@@ -3,7 +3,9 @@
 module Doorkeeper
   module OpenidConnect
     class UserinfoController < ::Doorkeeper::ApplicationController
-      skip_before_action :verify_authenticity_token
+      unless Doorkeeper.config.api_only
+        skip_before_action :verify_authenticity_token
+      end
       before_action -> { doorkeeper_authorize! :openid }
 
       def show