From 48b3d66d90a24333e72ee4171e174854c8f12c99 Mon Sep 17 00:00:00 2001
From: Simo Kinnunen <simo@shoqolate.com>
Date: Fri, 10 Jul 2015 15:43:54 +0900
Subject: [PATCH] Exclude dummy endpoint from CSRF check. It's used as a hack
 to enable autocomplete on certain fields.

---
 lib/units/app/index.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/units/app/index.js b/lib/units/app/index.js
index 392d0551..7cc8ae25 100644
--- a/lib/units/app/index.js
+++ b/lib/units/app/index.js
@@ -82,6 +82,13 @@ module.exports = function(options) {
   , authUrl: options.authUrl
   }))
 
+  // This needs to be before the csrf() middleware or we'll get nasty
+  // errors in the logs. The dummy endpoint is a hack used to enable
+  // autocomplete on some text fields.
+  app.all('/app/api/v1/dummy', function(req, res) {
+    res.send('OK')
+  })
+
   app.use(bodyParser.json())
   app.use(csrf())
   app.use(validator())
@@ -91,10 +98,6 @@ module.exports = function(options) {
     next()
   })
 
-  app.all('/app/api/v1/dummy', function(req, res) {
-    res.send('')
-  })
-
   app.get('/', function(req, res) {
     res.render('index')
   })