From 842f4ae40ec0e2a070281cdacb56c4fef4dd747d Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Mon, 11 Aug 2025 15:13:35 +1000
Subject: [PATCH] Re-enable CSRF check supported by DPM now

---
 .../enterprises/form/_dfc_permissions.html.haml   |  3 ++-
 .../dfc_provider/platforms_controller.rb          | 15 +++++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/app/views/admin/enterprises/form/_dfc_permissions.html.haml b/app/views/admin/enterprises/form/_dfc_permissions.html.haml
index ffdb95fe46..6521ad003d 100644
--- a/app/views/admin/enterprises/form/_dfc_permissions.html.haml
+++ b/app/views/admin/enterprises/form/_dfc_permissions.html.haml
@@ -23,7 +23,8 @@
     scopes-uri="https://cdn.startinblox.com/owl/dfc/taxonomies/scopes.jsonld"
     noRouter
     auto-lang
-    lang="en">
+    lang="en"
+    auth-token="#{form_authenticity_token}">
   </solid-permissioning>
 
 %script{type: "module", src: "https://cdn.jsdelivr.net/npm/@startinblox/solid-data-permissioning@latest/dist/index.js"}
diff --git a/engines/dfc_provider/app/controllers/dfc_provider/platforms_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/platforms_controller.rb
index 33bb0f3a56..2bd62b841c 100644
--- a/engines/dfc_provider/app/controllers/dfc_provider/platforms_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/platforms_controller.rb
@@ -8,12 +8,7 @@ module DfcProvider
       'cqcm-dev' => "https://api.proxy-dev.cqcm.startinblox.com/profile",
     }.freeze
 
-    # DANGER!
-    # This endpoint is open to CSRF attacks.
-    # This is a temporary measure until the DFC Permissions module accesses
-    # the API with a valid OIDC token to authenticate the user.
-    skip_before_action :verify_authenticity_token
-
+    prepend_before_action :move_authenticity_token
     before_action :check_enterprise
 
     def index
@@ -101,5 +96,13 @@ module DfcProvider
         grantee: platform_id,
       ).pluck(:scope)
     end
+
+    # The DFC Permission Module is sending tokens in the Authorization header.
+    # It assumes that it's an OIDC access token but we are passing the Rails
+    # CSRF token to the component to allow POST request with cookie auth.
+    def move_authenticity_token
+      token = request.delete_header('HTTP_AUTHORIZATION').to_s.split.last
+      request.headers['X-CSRF-Token'] = token if token
+    end
   end
 end